Signed and Verified commits with GitHub desktop
Web commits, the commits you perform using GitHub website, are automatically verified, but the ones you do from GitHub desktop need to be manually signed.
Download gpg4win from their official website
Begin the installation, choose to only install GnuPG and Kleopatra, don't need any other component.
After installation, open Kleopatra and create a new GPG key pair by selecting "New Key Pair"
Enter your real name and the email address that is added as one your verified email addresses in your GitHub account settings.
Select advanced settings and here you can optionally check the box next to "Authentication" and also increase the validity period of your GPG key.
Choosing a passphrase is not mandatory.
Export the public key by right-clicking on the GPG key and selecting Export. Open the exported file in Notepad or VS code, copy its content and paste it in your GitHub profile's GPG key section so it can be added as a new GPG key to your GitHub account.
Assuming GitHub desktop is installed and logged in on your system, open the .gitconfig file, usually located in User's folder, and add the following items to it.
Add this section to the end of the file
[commit]
gpgsign = true
And then add this to the [user] section
signingkey = YourGPGSigningkeyID
Replace YourGPGSigningkeyID with your actual GPG key ID. You can get it from Kleopatra GUI in Key-ID column (enter them without spaces in the .gitconfig file) or you can get it from your GPG keys section in GitHub account settings, Key ID will be visible for you after adding your GPG public key.
You can set the validity period of your GPG certificate to unlimited, set/change/remove its passphrase and other modifications. You can publish it on the GPG server too so others can look it up and verify it.
Make sure you backup your secret key using Kleopatra and store it in a safe place, you can import it again on another machine to continue signing your GitHub commits. Public key doesn't need to be backed up as you can regenerate it again by importing the secret GPG key on a different machine.
Now every time you commit using GitHub desktop, your commits will be signed. If your GPG key has a passphrase, you will be asked to enter it before committing and pushing in GitHub desktop, otherwise signing will happen automatically. Your repository commit history on GitHub website will show verified badge next to them.
- Install GitHub desktop and log in with your GitHub account
- Configure the .gitconfig file as explained above
- install gpg4win as explained above
- Open Kleopatra GUI and use the Import button to import your GPG secret key backup to the program. You can also double-click on your GPG secret key backup file and add it to the program that way.
- Start committing and pushing changes to your repository using GitHub desktop app, your commits will have a verified badge on GitHub website commit history.
Telling Git about your signing key
Run this command to create a new SSH key pair, using the provided email as a label. It should be one of the emails added to your account as a verified emails.
ssh-keygen -t ed25519 -C "[email protected]"Replace [email protected] with your own email address
When asked, enter a file name, don't need to specify a file extension (such as .txt). 2 files will be created in User folder. The one with .pub extension contains your public key, the other one contains your private keys. Both of them must be backed up and stored in a safe place.
Set a passphrase when asked, not mandatory so you can just press enter when asked for a passphrase.
Set-Service -Name ssh-agent -StartupType Automatic
Set-Service -Name ssh-agent -Status RunningFirst make sure you've moved the generated SSH key pair from the default User folder location and stored them somewhere else, can be OneDrive's personal vault, and then run the following command to add the private key of your SSH key pair to the SSH agent.
ssh-add "Path/To/SSH/Privatekey"If you set a passphrase for your private key from previous steps then you'll be asked to enter it, otherwise you will see the successful message saying "Identity added".
Open the file containing your SSH public key, which has a .pub extension, using a text editor such as Notepad or VS code, copy its content and paste it in your GitHub account settings and save.
Add these new sections to the end of your .gitconfig file. It's usually located in User folder C:\Users\YourUserName
[gpg]
format = ssh
[commit]
gpgsign = true
and add this to the [user] section to define your SSH public key, it's a direct path to that file.
signingkey = "Path/To/SSH/SSHKey.pub"
You must replace all of the normal backward slashes \ to forward slash / in your path, otherwise GitHub desktop throws an error.
Now every time you commit using GitHub desktop, your commits will be signed. If your SSH key has a passphrase, you will be asked to enter it before committing and pushing in GitHub desktop, otherwise signing will happen automatically. Your repository commit history on GitHub website will show verified badge next to them.
- Install GitHub desktop and log in with your GitHub account
- Configure the .gitconfig file as explained above
- Turn on the
ssh-agentWindows service - Add your SSH private key to
ssh-agentusingssh-add "Path/To/SSH/Privatekey"command - Start committing and pushing changes to your repository, your commits will have a verified badge on GitHub website commit history.
Telling Git about your SSH key
Key-based authentication in OpenSSH for Windows
About commit signature verification
Adding a new SSH key to your GitHub account
Generating a new SSH key and adding it to the ssh-agent
-
New-WDACConfig
-
New-SupplementalWDACConfig
-
Remove-WDACConfig
-
Edit-WDACConfig
-
Edit-SignedWDACConfig
-
Deploy-SignedWDACConfig
-
Confirm-WDACConfig
-
New-DenyWDACConfig
-
Set-CommonWDACConfig
-
New-KernelModeWDACConfig
-
Get-CommonWDACConfig
-
Invoke-WDACSimulation
-
Remove-CommonWDACConfig
-
Assert-WDACConfigIntegrity
-
Build-WDACCertificate
-
Test-CiPolicy
-
Get-CiFileHashes
-
ConvertTo-WDACPolicy
-
Get-CIPolicySetting
-
Introduction
-
App Control for Lightly Managed Devices
-
App Control for Fully managed device - Variant 1
-
App Control for Fully managed device - Variant 2
-
App Control for Fully managed device - Variant 3
-
App Control for Fully managed device - Variant 4
-
App Control Notes
-
How to Create and Deploy a Signed App Control Policy
-
Fast and Automatic Microsoft Recommended Driver Block Rules updates
-
App Control policy for BYOVD Kernel mode only protection
-
EKUs in App Control for Business Policies
-
App Control Rule Levels Comparison and Guide
-
Script Enforcement and PowerShell Constrained Language Mode in App Control Policies
-
How to Use Microsoft Defender for Endpoint Advanced Hunting With App Control
-
App Control Frequently Asked Questions (FAQs)
-
Create Bootable USB flash drive with no 3rd party tools
-
Event Viewer
-
Group Policy
-
How to compact your OS and free up extra space
-
Hyper V
-
Overrides for Microsoft Security Baseline
-
Git GitHub Desktop and Mandatory ASLR
-
Signed and Verified commits with GitHub desktop
-
About TLS, DNS, Encryption and OPSEC concepts
-
Things to do when clean installing Windows
-
Comparison of security benchmarks
-
BitLocker, TPM and Pluton | What Are They and How Do They Work
-
How to Detect Changes in User and Local Machine Certificate Stores in Real Time Using PowerShell
-
Cloning Personal and Enterprise Repositories Using GitHub Desktop
-
Only a Small Portion of The Windows OS Security Apparatus
-
Clean Source principle, Azure and Privileged Access Workstations
-
How to Securely Connect to Azure VMs and Use RDP
-
Basic PowerShell tricks and notes
-
Basic PowerShell tricks and notes Part 2
-
Basic PowerShell tricks and notes Part 3
-
Basic PowerShell tricks and notes Part 4
-
Basic PowerShell tricks and notes Part 5
-
How To Access All Stream Outputs From Thread Jobs In PowerShell In Real Time
-
PowerShell Best Practices To Follow When Coding
-
How To Asynchronously Access All Stream Outputs From Background Jobs In PowerShell
-
Powershell Dynamic Parameters and How to Add Them to the Get‐Help Syntax
-
RunSpaces In PowerShell
-
How To Use Reflection And Prevent Using Internal & Private C# Methods in PowerShell
