GitHub: How to push verified commits on GitHub

GitHub Docs: Managing commit signature verification

Item	Version
OS	MacOS sequoia 15.3.1
Git	2.49.0
OpenSSH	9.8p1

1. Overview

git config user.name = "your_name"
git config user.email ="your_email"

As you know, you can freely change the author of git commits. However, signing git commits prevents author forgery.

2. Generating a new ssh key.

# -t: key type, -C: comment, -f: file location, -N: passphrase
ssh-keygen -t ed25519 -C "Git Signing Key" -f ~/.ssh/id_ed25519_signing -N ""

ssh-keygen

ssh-keygen official docs

3. Verify the public key

cat ~/.ssh/id_ed25519_signing.pub

Copy the public key in the red box. print a public key

4. Add the SSH key to GitHub

Go to ‘SSH and GPG keys’ menu. and click New SSH key. print a public key

Select Key type as Signing Key and paste your SSH key. Add new SSH key.

5. Set up settings on your local computer

git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519_signing.pub
git config --global commit.gpgsign true

Command	Description
gpg.format ssh	Configure to use SSH key instead of GPG for signing
user.signingkey	Specify the path to the public key (must be .pub file)
commit.gpgsign true	Automatically sign all commits (no need to use -S flag.) cf. git commit -S -m "feat: my commit

Of course, you can apply config to one specific repository.

# Navigate to your repository
cd your-repository

# Configure Git to use SSH for signing
git config --local gpg.format ssh
git config --local user.signingkey ~/.ssh/id_ed25519_signing.pub
git config --local commit.gpgsign true

6. Done

Signed Git Commits

Your commits will be signed and verified by the GitHub account where you registered the SSH key.