0:00
Hey everyone, welcome back to the
0:01
channel. In today's video, I'm going to
0:03
show you how to configure a GPG key for
0:06
your GitHub project so that all your
0:08
commits are verified, secure, and
0:10
trusted. If you have ever seen that
0:13
green verified patch next to a commit on
0:16
GitHub, wondered how to get it, this
0:19
video is exactly for you. So, let's get
0:21
started. Before we jump into the
0:23
commands, let me explain quickly what is
0:26
GPG key and why it is important. A GPG
0:30
key allows you to digitally sign your
0:32
commits. This proves that you are the
0:35
real author. Nobody tempered with your
0:38
code. GitHub uses this key to verify
0:40
your identity and mark your commits as
0:45
It boosts your project's trust and
0:48
especially important for opensource
0:50
contributor team working on enterprise
0:52
projects and developers who want to
0:54
secure commit history. Whatever the
0:57
commands I will use in this video
0:58
tutorial, I will share them in the
1:00
description of the video for your
1:04
All right, let's create the key. Now on
1:06
most Linux system, GPG is already
1:08
installed. If not, then we have to
1:10
install it the package. The package name
1:13
is GNUg. As we are using Ubuntu so we
1:17
will be using at command and the command
1:34
As you can see the package is already
1:36
installed. Next generate the GPG key.
1:39
There are two ways to do it. One is
1:41
interactive, another option is
1:43
non-interactive. Let's try the
1:45
interactive first. For that we can run
1:48
the command gpg space -
1:57
hyphen key. Hit enter.
2:06
Size for the key is 4096.
2:10
Type zero to set the expiry for the key
2:18
Type the real name. Let's say
2:24
Enter the email address. This will be
2:26
the same email address that you are
2:27
using on your GitHub account.
2:32
For comment, you can leave as blank and
2:35
hit enter. Type caps O.
2:40
Enter the passphrase for your key
2:50
Output confirms that key has been
2:52
generated. In order to generate uh GPG
2:55
key without passphrase and non
2:57
interactive for that you can run this
3:02
All right. Next list the keys. Whatever
3:06
the GPG key you have generated for that
3:08
you can run this command.
3:18
All right. This is the key which we have
3:20
generated. This is the GPG key ID. We
3:24
will use it later to configure Git to
3:27
use this uh GPG key. Next, export the
3:30
public key using the GPG key ID. Run the
3:45
Copy this public key block.
3:52
Go to your GitHub account.
3:56
Under GitHub accounts, go to settings.
4:02
under SSH and GPG key section.
4:06
Scroll down. You will get this GPG key
4:08
section here. Click on new GPG key.
4:13
Paste the public key content here.
4:21
Give the title for your GPG key.
4:31
This confirms that GPG key has been
4:32
added successfully. Next, head back to
4:35
the terminal and configure git to use
4:38
your GPG key. Using the get command, we
4:40
will tell get which key to use.
4:50
Get the GPG key here. This is the one.
5:02
This command will instruct a g to use
5:05
the key whose ID is this one to sign the
5:16
This command will instruct git to always
5:21
use gpg sign key for all the commits.
5:26
Similarly, if you want to enable the GPG
5:30
signing key for your tags, copy this
5:35
run this one as well. Till this point,
5:39
our configuration setup is completed.
5:42
Now, we can make a test commit to one of
5:45
my repo and then we'll see whether that
5:48
commit is verified on my GitHub uh
5:53
For the reference, I have already clone
5:56
a repo with the name automation code.
6:05
Let me edit this readme file here.
6:12
Save and close the file.
6:23
Now commit the change using get space
6:42
It is prompting me to specify the
6:46
passphrase that I have set for my key.
6:49
Just specify the same passphrase.
6:57
Now push the changes to the repo. Run
7:12
Output confirms that my changes has been
7:15
pushed to this automation code repo. All
7:18
right. Now go to your GitHub account.
7:27
In our case, it is automation code.
7:33
We have commit this change testing GPG
7:40
And if you go on the history,
7:45
see this is verified.
7:48
This confirms that our commit is signed
7:52
using the GPG key and it's verified on
7:55
my GitHub account under this repo. And
7:59
that's it. You have successfully
8:00
configured a GPG key for your GitHub
8:03
project. If you have found this video
8:05
helpful, make sure like, comment, and
8:09
subscribe for more DevOps, Linux, and
8:11
cloud tutorials. Thanks for watching. I
8:13
will see you in the next video. Bye.
