Confirming GitHub commits signed by Codespaces

Posted on Tue 07 March 2023 in tech

Commit signature verification is a way of ensuring that the commits you make or receive are authentic and have not been tampered with. By signing your commits with a cryptographic key, you can prove that you are the author of the code and that no one else has modified it. GitHub can verify your commit signatures using GPG or S/MIME keys that you add to your account.

To check the verification status of your commits or tags on GitHub, you can navigate to your pull request or repository and look for a box next to your commit’s abbreviated hash. The box will show whether your commit signature is verified, partially verified, or unverified.

To sign your commits using GPG keys, you need to generate a new GPG key or use an existing one, add it to your GitHub account, tell Git about your signing key, and associate an email with your GPG key. To sign your commits using S/MIME keys, you need to obtain an X.509 key issued by a trusted certificate authority (CA), add it to your local machine’s keychain access utility.

If you sign your commits using GitHub codespaces. You will not be able to verify your commits unless you import the GitHub signing key using:

$ curl | gpg --import

Full Tutorial on YouTube: