As a developer, ensuring the security and authenticity of your code is crucial. One way to do this is by using SSH signing keys to sign your GitHub commits. This process adds an extra layer of security to your commits, making it easy to verify that the code originates from you and hasn't been tampered with. In this article, we'll walk you through the process of configuring SSH signing keys on GitHub for commit signing.
Before we can configure SSH signing keys on GitHub, we need to generate a new SSH key pair. You can do this using the ssh-keygen command on your local machine. Open your terminal and run the following command:
ssh-keygen -t rsa -b 4096 -C "[email protected]"
This will generate a new SSH key pair with a 4096-bit RSA key and your email address as a comment.
Once you've generated your SSH key pair, you need to add your public key to your GitHub account. To do this, log in to your GitHub account and navigate to your account settings. From there, click on the "SSH and GPG keys" tab and click on the "New SSH key" button.
Enter a title for your key (e.g., "My SSH signing key") and paste your public key into the "Key" field. Finally, click on the "Add SSH key" button to save your key.
Now that your SSH key is added to your GitHub account, you need to configure Git to use it for signing commits. To do this, open your terminal and run the following commands:
git config --global user.signingkey <key-id>
git config --global commit.gpgsign true
Replace <key-id>
with the ID of your SSH key (you can find this by running ssh-keygen -lf ~/.ssh/id_rsa.pub
). These commands configure Git to use your SSH key for signing commits and to always sign commits using GPG.
You're now ready to start signing your GitHub commits! To sign a commit, simply add the -S
flag to your git commit
command:
git commit -S -m "Your commit message here"
This will sign your commit using your SSH key and GPG.
By configuring SSH signing keys on GitHub, you can add an extra layer of security to your commits and ensure that your code is authentic and trustworthy. Following these steps, you can easily generate a new SSH key, add it to your GitHub account, and configure Git to use it for signing commits. Now you're ready to start signing your commits and protecting your code!