Signing GitHub commits

A short reference to guide you to sign your commits in GitHub.

Before starting is important that you check what email you're using for commits.

git config --global --list

Will give you the user.email

Create a gpg key

gpg --full-gen-key

When asked chose the default RSA, maximum length of 4096 and not expiring keys.
In the key data, chose the same email from the previous point.

Export the existing keys

This is not required but it's interesting to be able to export the public and private keys just created.

gpg -a --export your@emai.com > your-backup.pub.gpg
gpg -a --export-secret-keys your@emai.com > your-backup.sec.gpg

Tell git about your keys, and use it

Get the ID of your new gpg key via:

gpg -K

Tell Git to use it, and to sign your commits

git config --global user.signingkey XXXXXXX
git config --global commit.gpgsign true

This works for PyCharm/IntelliJ too!

Edit (or create) ~/.gnupg/pgp.conf adding:

no-tty
use-agent

Tell GitHub of your keys

Finally tell GitHub of your new key (be sure also to add and validate your email).
Go on your keys-page in your GitHub profile
and add as "New GPG key" the public armor code of your key:

gpg --export --armor your@email.com

--

That's it, when you'll commit next time, the GPG pass-phrase will be prompted, your commit will be signed and GitHub will show it as "verified".
Cool!