Signed commits allow others to trust that changes you’ve made really are made by you.

To acheive this using GPG you will need an existing key, or to generate a new one, and to configure your GitHub account with your new key. Its also a massive life saver to auto-sign commits, as typing passwords every 10 minutes isn’t much fun!

Install GPG and GPG Agent packages

On OSX, gpg and gpg-agent can be installed using Homebrew:

brew install gpg gpg-agent

Generate a GPG key

To generate a new key, enter the following gpg command into a terminal, along with your real name, email and passphrase when prompted. (NB: Use a unique password here and not one associated with any other account, as this passphrase will be stored later within your .bashrc file)

gpg --default-new-key-algo rsa4096 --gen-key

Adding the GPG key to your GitHub account

Following instructions on the following link, will guide to you on how to export your public key for use with your github account.

https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/

Updating .bashrc to preset your passphrase

In order to benefit from auto-signed commits without a passphrase prompt, we’ll need to preset our passphrase with the gpg-agent which caches it for later use and allowing github commits to function seamlessly.

The following code to be pasted into your ~/.bashrc file, will set your git config with a signing key, remove any existing gpg-agent processes and then finally start a new gpg-agent with your passphrase preset:

# github auto-signed commits
export GPG_SIGNING_KEY=<ADD_GPG_SIGNING_KEY_HERE>
export GPG_PASSPHRASE=<ADD_GPG_PASSPHRASE_HERE>
export GPG_PRESET=<ADD_GPG_PRESET_HERE>
export GNUPGPATH=/usr/local/Cellar/gnupg/2.2.9/libexec
export PATH="$PATH:$GNUPGPATH"
export GPG_TTY=$(tty)

git config --global user.signingkey $GPG_SIGNING_KEY
git config --global commit.gpgsign true
pkill gpg-agent
eval $(gpg-agent --daemon --allow-preset-passphrase --default-cache-ttl 1 --max-cache-ttl 31536000)
gpg-preset-passphrase -P "$GPG_PASSPHRASE" --preset $GPG_PRESET

Replacing GPG_PASSPHRASE

Replace <ADD_GPG_PASSPHRASE_HERE> in the .bashrc file with your unique passphrase.

Replacing GPG_SIGNING_KEY and GPG_PRESET

In a terminal, enter:

gpg --fingerprint --list-secret-keys --with-keygrip --keyid-format LONG

output:

We can find the signing key after rsa4096/ (e.g 92E95393EDB7921F above), and use this value to replace <ADD_GPG_SIGNING_KEY_HERE> in the .bashrc file.

Also the Keygrip value (e.g 8797FD2EAABD7314AEEB0D71F46B22619508E672) can be found above the key created using your name/email, and it should replace <ADD_GPG_PRESET_HERE> in the .bashrc file.

Finally

Save your .bashrc file and close/reopen your bash terminal, and navigate to a repository and commit changes with the -S flag.

git commit -S -am "Testing GH signed commit"

..and your commits should now be auto-signed, and trusted!