GitHub is a web-based version-control and collaboration platform for software developers. I use it all the time to version the soruce code of my PhD project. The GRIAC and RBMB bioinformatical groups both have a github page setup as well, even though we don’t use it very much. But if we were to work together even more, we should be able to trust the commits we make to our collaborative repositories. For that reason, GitHub had instroduced signed commits. Below is a script to make a GPG signature and to add this to your local Git configuration to automatically sign your commits.

Mac / Linux

EMAIL="" # See
SECRET_KEYID="2F01902897288144" # See output of "gpg --list-secret-keys --keyid-format LONG"

brew install gnupg
brew install pinentry-mac

echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
killall gpg-agent

gpg --full-generate-key
gpg --list-secret-keys --keyid-format LONG "$EMAIL"
gpg --armor --output gpg_github_pub.asc --export "$EMAIL"
cat gpg_github_pub.asc

# If you do something wrong while creating the GPG key, delete it:
gpg --list-secret-keys --keyid-format LONG "$EMAIL"
# sec   rsa4096/$SECRET_KEYID 2021-09-24 [SC] [expires: 2031-09-22]
# uid                 [ultimate] Jos van Nijnatten (This is for GitHub only.) <$EMAIL>
# ssb   rsa4096/SOMEOTHERIDENTIF 2021-09-24 [E] [expires: 2031-09-22]
gpg --delete-secret-key "$SECRET_KEYID"

git config --list
git config --global "$EMAIL"
git config --global user.signingKey "$SECRET_KEYID"
git config --global commit.gpgsign true
git config --global gpg.program gpg

git commit -m "R: added commented line for auto stacktrace"
git push
git show head --show-signature
git log --show-signature -1


Tutorial Remember to do the GPG related commands in Powershell and the Git related commands in Bash.