The content of this page has been automatically translated by AI. If you encounter any problems while reading, you can view the corresponding content in Chinese.
CODING supports GPG signature verification for Git commits. Verified commit records will be tagged as "Verified" to ensure the reliability of code submitters and enhance code security.
Generate GPG Key Pair
1. Download and install GPG. If you are using macOS, you can run the following command using the brew package manager:
brew install gpg
2. Run the following command to generate a GPG key pair (public/private key):
gpg --full-gen-key
In some scenarios, such as using Windows Gpg4win or other macOS versions, use the gpg --gen-key command to generate a key pair.
This is an interactive command. You will need to select the algorithm type, specify the validity period of the key, enter your real name and email, set a password, etc., based on the prompts.
Key Type: Select the key type to use or press Enter to choose the default RSA and RSA.
Elliptic Curve: Press Enter to select the default elliptic curve Curve 25519.
Validity period: Specify the validity period of the key as needed, or press Enter to select the default never expires.
Email address: This should be the email address configured in your CODING account.
3. Run the following commands to list the created GPG keys (the email address in the command should be the one specified in step 2):
gpg --list-secret-keys --keyid-format LONG "your_email"
4. Copy the GPG key ID that starts with sec. For example, copy 4AEA00A342C24CA3 in the example:
sec ed25519/4AEA00A342C24CA3 2021-09-14 [SC]
6DE3507E82DEB6E8828FAAC34AEA00A342C24BD4
uid [ ultimate ] your_name "your_email"
ssb cv25519/812B586FD245B560 2021-09-14 [E]
5. Use the copied ID to export the public key (using the ID mentioned above as an example):
gpg --armor --export 4AEA00A342C24CA3
After generating the public key, you can add it to your CODING account.
Add Public Key to Personal Account Settings
1. After logging in to CODING, click the Personal Account Settings option in the lower left corner of the page.
2. Select GPG Public Key from the left sidebar to enter the Public Key Management page.
3. Click Add Public Key, paste the exported GPG Public Key into the content box, and confirm.
After the public key is successfully added, the verification status of the email address, key ID, and subkey will be displayed.
Note:
If the email address shows an unverified status, it means the email is not configured in the CODING account. Please add the email in Personal Account Settings > Email Settings.
Associate with the local Git repository
1. Run the following commands to list the created GPG keys (the email address in the command should be the one specified when generating the key):
gpg --list-secret-keys --keyid-format LONG "your_email"
2. Copy the GPG key ID that starts with sec. In the example below, copy 4AEA00A342C24CA3:
sec ed25519/4AEA00A342C24CA3 2021-09-14 [SC]
6DE3507E82DEB6E8828FAAC34AEA00A342C24BD4
uid [ ultimate ] your_name "your_email"
ssb cv25519/812B586FD245B560 2021-09-14 [E]
3. Configure the key in the local Git repository to sign commit submissions:
You have now successfully associated the created GPG key with the local Git repository. Sign the Git commit message when making local changes to verify the authenticity of the submitter.
Sign Git commits
When running the Git commit command, the -S parameter is required.
1. When you have finished editing the code locally and need to submit changes, add the -S parameter to the git commit command:
git commit -S -m "your_commit_message"
If you do not want to enter the -S flag every time, you can use the following command to set Git to automatically sign commits:
git config --global commit.gpgsign true
2. If prompted to enter a password, provide the password set when generating the GPG key.
Signature verification
After pushing the signed commit to the CODING code repository, you can check the commit verification on the repository's commit page to see if the signature was successful.
The explanations for the commit verification statuses are as follows:
Verification status
Description
Verified
Signed with a GPG private key, the corresponding public key is in the CODING account, and the public key email is verified.
Unverified
Signed with a GPG private key, but the corresponding public key is not in the CODING account, or the public key email is not verified (if an unverified email appears, please add the email in Personal Account Settings > Email Settings).
No verification status Tag
Did not use a GPG private key for the signature.
Delete GPG Public Key
If your GPG public key is at risk of being compromised or you no longer use GPG signatures, you can delete the public key in Personal Account Settings > GPG Public Key.
After the public key is deleted:
Verified commits will become unverified.
Commits still signed with the GPG private key (i.e., using git commit -S -m) will become unverified.
Unsigned commits (i.e., using git commit -m) will not be verified and will have an unverified status tag.
Note:
If Git automatic signing is configured, you can run the command git config --global commit.gpgsign false to disable automatic signing. Otherwise, after deleting the GPG public key, commits pushed to the remote repository will still show an 'Unverified' status.
GPG signature error handling
If, after completing all the steps mentioned above, you encounter the following error when signing commits using git commit -S -m, you can refer to Solving GPG Signature Failures to modify the related configurations.
