In the context of collaborative software development, maintaining the integrity of commits is crucial. Git has a technique for using GPG (GNU Privacy Guard) signatures to verify the integrity and validity of commits. However, it can be a little challenging to set up verified commits on many platforms, like GitHub and GitLab, particularly if you use different email addresses such as company & personal email for each platform. I'll describe my experience setting up verified commits on GitHub with my personal email address and my current GitLab configuration with my work email account in this blog post.

Understanding the Challenge

As a DevOps Engineer, I often contribute to GitHub and GitLab repositories. Company-wide, we are using GitLab for version control but for my personal work like open source contribution, I use Github mostly. So, previously I used GPG signatures to verify commits to GitLab but when working on GitHub, I ran into a problem, even though my pushes on GitLab were immediately validated using my work email address. For GitHub commits, even though I used my personal email address, the commits weren't immediately validated. I had to figure out a way to make sure that my contributions on GitHub were also verified.

Verified Commits

Verified commits are crucial because they guarantee the authenticity, integrity, and trustworthiness of the code changes being committed to a project. It indicates that the author's identity has been established and that no tampering has occurred with the code since the commit. This is important to maintain the security and reliability of software development projects, as it prevents unauthorized changes, ensures accountability for contributions, and builds trust within the development community.
Here is an example of a verified commit on GitHub.

Implementation

1. Global Git settings: When I first set up my global Git settings, I used my work email address and the GPG key that went with it for GitLab commits. By doing this, I made sure that my corporate email was used to sign and validate all of my contributions to GitLab projects.

Use the below command to set it up globally:

    git config --global user.name "Your Name"
    git config --global user.email "your-company-email@example.com"

2. Local GitHub Project: I made a special folder on my local machine to keep my all GitHub projects apart from other repositories. I worked on a lot of GitHub repositories, and all of them were organized in one folder for example github-projects.

3. Generating GPG Key with Personal Email:

   Please follow the GitHub documentation to Generate New GPG keys for your personal email address and follow these steps to Add GPG key to GitHub Account.
   Now to get the list of GPG keys, follow the below command:

    $ gpg --list-secret-keys --keyid-format=long
    /Users/user_name/.gnupg/pubring.kbx
    ------------------------------------
    sec   3057R/8CC5C45863575XL2 2024-03-01 [SC]
    uid                 [ultimate] UserName <your-personal-email@example.com>
    ssb   3057R/6LL5C44373575MG4 2024-03-01 [E]
   

   From the list of the GPG keys, we need to take this ID 8CC5C45863575XL2 and make ready the personal Git configuration file. This key would be used to sign commits made to GitHub repositories

4. Configuring Personal Git Configuration File: I have already a .gitconfig file where my company email was declared globally with a GPG key for GitLab projects. Now I need to configure a personal Git configuration file for GitHub repositories. I created a separate Git configuration file named .gitconfig-personal including my personal email address and the associated GPG key. I ignored the username here as it was the same for both GitLab and GitHub.

    [user]
            email = your-personal-email@example.com
            signingkey = 8CC5C45863575XL2
    [commit]
            gpgsign = true
    [gpg]
            program = /opt/homebrew/bin/gpg
    [credential]
            helper = store
   

5. Confgireuing Main Git Configuration File: I made use of Git's conditional includes feature to make sure that the personal Git configuration was only applied to GitHub projects located in github-projects folder in my local machine.

    [user]
        name = UserName
        email = your-company-email@example.com
        signingkey = 864G9735KQ4583M6
    [commit]
        gpgsign = true
    [gpg]
        program = /opt/homebrew/bin/gpg
    [credential]
        helper = store
    [includeIf "gitdir:~/github-projects/"]
        path = ~/.gitconfig-personal
   

   Here, in the global .gitconfig file's includeIf directive is a conditional include statement that instructs Git to include extra configuration settings from a different file if a particular requirement is satisfied.

Conclusion

In this blog, I have shared my experience utilizing my personal email address to ensure authenticated commits on GitHub. I was able to switch between using my personal email for GitHub and my corporate email for GitLab without sacrificing the security and integrity of my commits by making a second Git configuration file and using conditional inclusion. This method offered a versatile option for managing Git configurations across several systems in addition to resolving the problem I was having.

---

I appreciate you taking the time to read this. Your support is much appreciated! If you found this article valuable, please consider clicking the 👉 Follow button and giving it a few claps by clicking the ❤️ like button to help me create more informative content like this. Thank you for your time! 🖤
Also, follow me on Medium, Twitter & LinkedIn.