3 minutes to automatically sign your commits with a verified signature in VS Code.

1. Prerequisites
2. Process
   1. Generate key
   2. Export key
   3. Set key
3. Undo
4. Credits
5. Background reading

Prerequisites

• Git client.
• VS Code editor.
• 3 minutes.

Process

Generate key

1. Open Git Bash and input gpg --full-generate-key.
2. Select (1) RSA and RSA (default).
3. Input 4096.
4. Input your chosen expiration or 0 to never expire.
5. Input your: name, email and comment (can be left blank).
6. Input O to confirm.
7. Input your passphrase (don't forget it!).

Export key

1. Open Git Bash and input gpg --list-signatures.
2. Copy the 16-digit key ID that follows "sig".
3. Input gpg --armor --export XXXXXXXXXXXXXXXX, replacing the X's with your key ID. Keep your key ID at hand as it will be needed again.
4. Copy the entire key block, including the beginning and end text.
5. Visit your GitHub keys page and select "New GPG key".
6. Paste in the key block then "Add GPG key".

Set key

1. Open your Terminal (VS Code's integrated terminal will also do).
2. Input git config --global user.signingkey XXXXXXXXXXXXXXXX, replacing the X's with your key ID.
3. Input git config --global commit.gpgsign true. For your local repository, you can drop the --global flag.
4. Within your repository, input git config --list and ensure the user.name and user.email are consistent with the generated key.
5. In VS Code's Settings (UI), tick the "Git: Enable Commit Signing" checkbox or simply add "git.enableCommitSigning": true, to the Settings (JSON).
6. Your passphrase will be required for the first Git sync.

That's all you need to get the lovely green "Verified" badge next to your commits. Thanks for your time!

Undo

Perhaps there was a mistake and you want to reset. Or you want to keep your email address private and redo using your GitHub-provided noreply one instead.

1. Open Git Bash and input gpg --list-signatures.
2. Copy the 16-digit key ID that follows "sig", which you want to remove.
3. Input gpg --delete-secret-key XXXXXXXXXXXXXXXX, replacing the X's with your key ID.
4. Input gpg --delete-key XXXXXXXXXXXXXXXX, replacing the X's with your key ID.

Now that the public and private keys have been removed, you can restart the process with newly-generated keys.

Credits

• Preston, M. (2019, Sep 18). Signed GitHub commits and VSCode. Retrieved from mwpreston dot net.
• Müller, A. (2019, Sep 18). Signed Git commits in VS Code. Retrieved from Medium.
• Chapagain, M. (2015, Oct 8). GPG: Remove keys from your public keyring. Retrieved from Mukesh Chapagain Blog.

Background reading

• GPG is short for GnuPG, which is short for GNU Privacy Guard: a free implementation of the OpenPGP standards.
• Signing individual commits was introduced in 2016 from Git v1.7.9 and above.