Background
One day, I impulsively turned on GitHub’s Vigilant mode.
As a result, all my commits started looking like this.
To figure out how to make them Verified, I found the following method.
Method
I actually referred to this link. However, it wasn’t quite enough, as there might be authentication-related issues on MacBooks that lead to commit errors. So, I found this solution.
In summary, to verify, you need to enter a password. The issue on a Mac is the prompt for entering the password, which needs to be replaced with pinentry-mac, which most people install via homebrew.
Moreover, this solution thoughtfully provides a way to verify:
echo "test" | gpg --clearsign
GPG Experience
- It doesn’t replace the ssh key. After successfully setting it up, I deleted my GitHub ssh key and discovered that I couldn’t log in. Actually, it only verifies the legitimacy of commits.
- On the local machine, in any repo, you only need to enter the password once, and that makes it a verified commit. It doesn’t affect daily use; it just adds a green check mark for verification.
- Using the https protocol + token seems more reliable than this method, but I’m not sure if it provides a verified mark.