How to setup signed commits on Windows

Setting up signed commits is an essential step in ensuring the authenticity and integrity of your code contributions. By signing your commits, you provide a cryptographic assurance that the changes are genuinely from you, preventing unauthorized modifications.

When you push the signed commits on GitHub, you'll get a Verified badge with your commits.

In this guide, we'll walk through how to set up signed commits on a Windows environment, ensuring that your Git contributions are both secure and trusted.

Prerequisites

Install the softwares below into your machine.

• git
• gpg4win - Includes Kleopatra & GPG tools.

Create a PGP key pair

First, determine the email address you want to use with the key. Head to GitHub > Settings > Emails. You can use your public email or use your GitHub's private email.

Launch Kleopatra and click on New OpenPGPG Key Pair...

Fill in your name and email address you have choosen earlier. If you want to customize the key type or the expiry date, click on Advanced Settings.... Then, click OK.

A success dialog will appear, click OK to close it. Don't worry about the fingerprint for now. A newly created key will appear in the dialog.

Add GPG Key to GitHub

Go to your GitHub account > Settings > SSH and GPG keys.

On GPG keys section, click on New GPG key. It will ask for a title and key. For the Title field, you can put anything you would like. I usually put my computer name (to distinguish between other devices I own).

To fill key Key field, you'll need the public key for the key you just created. Back to Kleopatra, double-click on the key, and click Export

A dialog will appear, copy everyhing in the dialog and paste it into the Key field.

Click Add GPG Key.

Verify that the key is added.

Local Git setup

Open Terminal or Git Bash.

If you haven't setup your gti username and password yet, you can do it now.

git config --global user.name "myname"
git config --global user.email myemail@example.com

(Optional) Unset the previously set GPG key if you have setup before this.

git config --global --unset gpg.format

When you install the Gpg4win earlier, it will also install gpg binaries in your system. Locate gpg.exe and copy its full path. Usually installed at "C:\Program Files (x86)\GnuPG\bin\gpg.exe"

Then, tell git where the gpg program sits

git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"

Set key ID from the generated key to git

git config --global user.signingkey 3AA5C343XXXXXXXX

Replace the key ID with your own key ID. You can find the Key ID from Kleopatra or Github.

(Optional) You can tell git to automatically sign the commits.

git config --global commit.gpgsign true

That's it, how easy it is to setup a signed commits. Ask me any question you have. For more information, please consult the documentation.

References

• https://docs.github.com/en/get-started/getting-started-with-git/setting-your-username-in-git
• https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits
• https://stackoverflow.com/a/76039130/13617136