Greg Rickaby

Engineering Leader / Full Stack Developer

· 2 min read · #code

Enable verified commits on Github

Learn how to display a 'verified badge' next to your commits on Github.

When you work locally on your computer, Git allows you to set the author of your changes and the identity of the committer. This, potentially, makes it difficult for other people to be confident that commits and tags you create were actually created by you.


Using GPG or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub so other people can be confident that the changes come from a trusted source. To quote

GnuPG (more commonly known as GPG) is an implementation of a standard known as PGP (Pretty Good Privacy). It uses a system of "public" and "private" keys for the encryption and signing of messages or data.

How to enable verified commits on Github

There are two tools available to help generate a GPG key pair:

  1. GUI based GPG Tools
  2. GPG CLI

Once you have one of those tools installed (or both) you can generate a key pair.

In the instructions below I will show both CLI and GUI options.

Create a new key using RSA 4096 encryption:


gpg --full-generate-key

GUI - GPG Tools


Be sure to use the same email you use for Github (which much be verified!)

Retrieve your GPG Key ID:


gpg --list-secret-keys --keyid-format=long

This command will show you something similar to this:

$ gpg --list-secret-keys --keyid-format=long
sec   4096R/3AA5C34371567BD2 2021-06-08 [expires: 2025-06-08]
uid                          Greg Rickaby
ssb   4096R/42B317FD4BA89E7A 2021-06-08

GUI - GPG Tools

Right-click on the columns bar, and select "Key ID" from the dropdown menu. The Key ID will now be shown as a column.


Configure your local Git

Tell Git about your signing key with the command below. Swap out the ID with the one generated above.


git config --global user.signingkey [3AA5C34371567BD2]

GUI - Tower

Open Tower and go to Preferences > Git Config:


Configure Github

  1. Visit and look for "SSH & GPG Keys" in the sidebar
  2. Add new GPG key to your Github account Learn more
  3. Enable Vigilant Mode on Github Learn More


Wrap Up

Nice! Your commits should now show up as "verified" on Github and you've taken an extra step toward a more secure Git workflow.


Greg is the Director of Engineering at WebDevStudios. He also moonlights at Dummies writing and editing books. Follow him on Twitter for lots of pictures of pepperoni pizza and tidbits about Next.js.
· · ·