Comment on page
GitHub and GitLab provide a mechanism to verify signed commits using an uploaded public SSH key. GitButler can automatically sign all your commits.
Git provides a mechanism to sign your commits with a GPG key or SSH key. This enables other developers to make sure that you were actually the person who committed it, rather than someone else just setting their email to yours and committing it as if they were you.
To make this work, a signature is added to the commit header and then that signature is checked against public key stored somewhere, generally for most people the most useful way to verify these signatures is through GitHub or GitLab.
This is what a verified commit looks like on both systems:
A verified commit on GitLab
Verified and non-verified commits on GitHub
This means that the server has a public key that you used to sign the commits that is associated to your account and has verified that this user actually signed this commit.
In order for this to work, you need to:
- 1.Tell GitButler to sign your commits
- 2.Upload your key as a "signing key" to GitHub or GitLab (or elsewhere)
Telling GitButler to sign commits is very easy. For simplicity, currently we will only sign with the ed25519 SSH key that we generate, so it's really just flipping a switch in your settings.
Telling GitButler to sign your commits
This actually just sets a global Git setting named
gitbutler.signCommits, so technically you could do this via
git configinstead if you prefer.
For GitHub or GitLab to verify your signatures, you need to say that the SSH key we generated and are using is a valid signing key for your user. You can copy the public key in the settings page by clicking the "Copy to Clipboard" button.
Be sure to change the type to "Signing Key"
Now your signed commits should show up as "Verified".
Add new key here.
Now paste in the public SSH key you copied from GitButler, name it and make sure the "Usage Type" is either "Signing" or "Authentication and Signing".
Now all your GitButler generated commits will be verified on that platform!