LuxForge now deploys with a verified signature. This post outlines how to ensure future deploys inherit the same signature.

Outline

  • βœ… Git identity corrected from placeholder to the user identinty (our case, lux-forge)

  • βœ… Commits now show the Verified badge on GitHub

πŸ› οΈ How to: Verified GitHub Commits

To get the Verified badge on commits:

  1. Generate a GPG key: 
    gpg --full-generate-key
  2. List your key: 
    gpg --list-secret-keys --keyid-format LONG

    Look for the long string after rsa4096/β€”that’s your key ID.

  3. Export your public key: 
    gpg --armor --export YOUR_KEY_ID

    Copy the entire key

  4. Add it to GitHub:
    Go to GitHub β†’ User Icon β†’ Settings β†’ SSH and GPG keys β†’ New GPG key Paste the key
  5. Configure Git to sign commits: 
    git config --global user.signingkey YOUR_KEY_ID
git config --global commit.gpgsign true
  6. Test it: 
    git commit -S -m "Signed LuxForge deploy"

Your commits will now show the Verified badge on GitHub.

Summary

We all like big green signs and the Verified one is no different. Not only that but it also ensures future deployments are secure. Lovely.