Verified commits in Github

Have you noticed how some committers on GitHub have a ‘verified’ badge?

This isn’t because the person is special (sorry to burst my own bubble), but rather they have signed their commits with a tool such as the Gnu Privacy Guard (GPG).

Commit validation ensures the authenticity and integrity of code by verifying the identity of the author through GPG signatures, providing trust and security in collaborative projects.

There are good instructions on how to do this on Github Docs, but in this post I’ll go into a bit more detail showing both Windows and Windows Subsystem for Linux (WSL2).

Pre-requisite

You need to make sure you have verified your email in GitHub.

Install GPG4Win

As usual there’s a myriad of ways, pick one from the below that works for you:

1. Follow the manual instructions on https://www.gpg4win.org/

-or-

1. Use winget (required local admin)

winget install -e GnuPG.Gpg4win -or-

1. Use scoop (installs as current user, no admin required)

1
2
3
4
5

# If you need to install scoop
Set-ExecutionPolicy RemoteSigned -scope Process
iex (new-object net.webclient).downloadstring( 'https://get.scoop.sh')
# install gpg
scoop install gpg

Create a public & private key pair

Run the following:

1

gpg --full-generate-key

Follow the wizard:

The defaults are pretty good choices!

At the end it should print out information about the key:

1
2
3
4

pub rsa3072 2025-04-04 [SC] [expires: 2026-04-04]
    3E517106DE8E3A3AAD88B2B0BF13E427F4176DCA
uid                Stu Mace <[email protected]>
sub rsa3072 2025-04-04 [E] [expires: 2026-04-04]

We’ll need the public key id (the number starting 3E5171… in the above example). (PS, No, that’s not my real key).

Extract the public key using gpg --armor --export <your_key>

1
2
3
4
5
6
7
8

> gpg -- armor -- export 3E517106DE8E3A3AAD88B2B0BF13E427F4176DCA

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGfwXDoBDACVdTZrIkD2G4td1kmn9TorLvVqXiTP98icMxJ3ngvIYW17A++Z
<etc>
Kz5sqK9uDz/dtVZwfddd1VkbxUqtA18z
=VikM
-----END PGP PUBLIC KEY BLOCK-----

Add the key to GitHub

Go to your GitHub Profile -> Settings

Find “SSH and GPG key”, then “New GPG key”

The title can be whatever you like, paste the public key obtained earlier including the “BEGIN” and “END” lines:

You can optionally enable “Vigilant mode”, as the UI says:

This will include any commit attributed to your account but not signed with your GPG or S/MIME key. Note that this will include your existing unsigned commits.

Locate the path to gpg from WSL2

I recommend creating a symlink for gpg from WSL2, to your Windows installation.

You can also install gpg inside WSL, but I’ve found that doing so breaks the ability for VSCode to prompt for the signing passphrase.

First, we locate the path where GPG was installed.

If you used the website install, or winget, it will likely be here:

1

C:\Program Files (x86)\GnuPG\bin\gpg.exe

If you used scoop, you can use scoop which gpg

1

~\scoop\apps\gpg\current\bin\gpg.exe

To access the Windows C drive from WSL you use the /mnt/c path, and you need to escape any special characters like spaces and brackets with a backslash.

Let’s take the above examples:

1
2
3
4

# Program Files (x86) folder
/mnt/c/Program Files\ \(x86\)/GnuPG/bin/gpg.exe
# scoop install path
/mnt/c/Users/<yourprofilename>/scoop/apps/gpg/current/bin/gpg.exe

I’d suggest using the “ls” command to check you’ve got the path correctly specified.

Create the symlink & test:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

~$ sudo ln -s /mnt/c/Users/stu/scoop/apps/gpg/current/bin/gpg.exe /usr/local/bin/gpg
[ sudo ] password for stu:

~$ command -v gpg
/usr/local/bin/gpg

$ gpg -- list-keys
C:\Users\me\scoop\apps\gpg\2.4.7\home\pubring.kbx
--------------------------------------------------
pub rsa3072 202x-xx-xx [SC] [expires : 202x-xx-xx]
    AE<REDACTED>60B6926
uid       [ unknown] Stu Mace <[email protected]>
sub rsa3072 202x-xx-xx [E] [expires: 202x-xx-xx]

Configure Git to use GPG

Set your git config to use the signing key. If you’ve only got a single developer identity, then a global setting is easiest:

git config --global user.signingkey <key_id>

Optionally, automatically sign all commits

git config --global commit.gpgSign true

Test from Visual Studio Code

If all is well, when you commit in Code, you’ll be prompted to enter your passphrase (this is then cached for the period defined in gpg-agent.conf)

In this example, I’m using VSCode from WSL2 - passphrase prompting works here too!

If you’re unsure if this has worked, you can use git log --show-signature to check the local commit before pushing your commit to GitHub:

Look for “good signature” and make sure the e-mail address is as per your github profile

Call to action

We all love a bit of validation, right 😆?

Now, you can be verified on GitHub and look like a DevOps rockstar.

Why not set up commit signing today?

As a bonus, you’ll then be set up when you come across a repo where branch protection requires signed commits!