Member-only story

How to Make Verified GitHub Commits

Marco Massenzio
2 min readDec 25, 2021
Keys, keys… keys everywhere!

GitHub has a set of detailed instructions; however, if you know your way around a Linux shell and have a basic understanding of how keys work, this is a condensed TL;DR version.

Also, with minimal effort it could be automated in a shell script (even uploading the key to GitHub via API).

Here is the sequence of commands, along with the relevant output:

gpg --generate-keygpg --list-keys
pub rsa3072 2021-12-25 [SC] [expires: 2023-12-25]
A6D*******************************72EE84
uid [ultimate] Marco Massenzio <*@m****nz.io>
sub rsa3072 2021-12-25 [E] [expires: 2023-12-25]
GPG_KEY=A6D*******************************72EE84
gpg --keyserver keyserver.ubuntu.com \
--send-keys $GPG_KEY
gpg --list-signatures --keyid-format 0xshort
pub rsa3072/0x0B*****4 2021-12-25 [SC] [expires: 2023-12-25]
A6D*******************************72EE84
uid [ultimate] Marco Massenzio <*@m****nz.io>
sig 3 0x0B*****4 2021-12-25 Marco Massenzio <*@m****nz.io>
sub rsa3072/0x4******D 2021-12-25 [E] [expires: 2023-12-25]
sig 0x0B*****4 2021-12-25 Marco Massenzio <*@m****nz.io>
GPG_ID="0x0B*****4"
gpg --armor --export $GPG_ID

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Or, continue in mobile web

Already have an account? Sign in

No responses yet

Write a response