To sign Git commits and tags with GPG keys for verification, you can follow these steps:
Generate a GPG key pair if you don't have one already. This can be done using the gpg command-line tool. You can run the following command and follow the prompts:
gpg --full-generate-key
This will generate a new GPG key pair with a unique ID.
Retrieve the ID of your GPG key pair by running the command:
gpg --list-secret-keys --keyid-format LONG
Look for the key ID, which is the alphanumeric string following the "sec" label. It should look something like 4096R/ABC12345.
Configure Git to use your GPG key by running the following commands, replacing ABC12345 with your actual key ID:
git config --global user.signingkey ABC12345
git config --global gpg.program gpg
Enable commit signing for your Git repositories by running:
git config --global commit.gpgsign true
This will ensure that all future commits will be signed with your configured GPG key.
To sign an individual commit, use the -S flag with the git commit command:
git commit -S -m "Your commit message here"
This will sign the commit using your GPG key.
To sign an individual tag, use the -s flag with the git tag command:
git tag -s v1.0 -m "Your annotated tag message here"
This will create an annotated tag with your GPG signature included.
Now, your commits and tags will be signed with your GPG key for verification. Others can verify the authenticity of your commits and tags by using your public key.