THE IDIOT’S GUIDE TO VERIFIED COMMITS GitHub wants your commits to be signed so it knows you really made them. To fix this, you need to: Generate a GPG key Tell GitHub about it Tell Git to use it Here’s exactly how:
🧩 STEP 1 — Install GPG macOS:
brew install gnupg
🧩 STEP 2 — Make a GPG key Run:
gpg --full-generate-key When it asks: Key type? → 1 (RSA and RSA) Key size? → 4096 Expiration? → 0 (never) Name/email? → use the same email as your GitHub account Done.
🧩 STEP 3 — Get your key ID Run:
gpg --list-secret-keys --keyid-format=long Look for something like:
sec rsa4096/ABCDEF1234567890 Your key ID is the part after the slash — e.g.:
ABCDEF1234567890
🧩 STEP 4 — Export the key for GitHub Run this, replacing with yours:
gpg --armor --export Copy the whole block that looks like:
-----BEGIN PGP PUBLIC KEY BLOCK----- ... -----END PGP PUBLIC KEY BLOCK-----
🧩 STEP 5 — Add it to GitHub Go to: GitHub → Settings → SSH and GPG keys → New GPG key Paste your exported key. Done. 🎉
🧩 STEP 6 — Tell Git to sign commits automatically
git config --global user.signingkey git config --global commit.gpgsign true If you're on macOS you may also need:
git config --global gpg.program gpg
🧩 STEP 7 — Make a new commit
git commit -m "Test verified commit" git push Your commit on GitHub should now show a green “Verified” badge.