What is “Verified” Git commits? How can I verify my Git commits?
These were the questions I asked myself when I saw “verified” commits on GitHub.
After lots of searching, I found out it is one of the most cool features of Git.
When it comes to commits in large open-source projects, it’s all about ensuring that the commits being made are legitimate and coming from the correct source and the correct person. GPG keys are a way to digitally sign commits, which provides an extra layer of security and verification. This can be especially important for open-source projects where multiple contributors are making changes to the codebase.
After weeks, I discovered that GitHub has a complete (but complex) document on this.
I read the documentation and was finally able to do this on both GNU/Linux & Windows.
Now I want to write a helpful summary of GitHub documentation here for beginners so that I can help them in this regard.
Using GPG or SSH, you can sign tags and commits. These tags or commits are marked as verified on GitHub so other people can be confident that the changes come from a trusted source.
You can read the GNU/Linux version here.
The Windows version is here as well.