GPG signing proves that commits are genuinely from you. You only need to do this once.
Open the terminal in your Codespace and run:
gpg --full-generate-keyChoose these options:
RSA and RSA(default)- Key size:
4096 - Expiry:
0(does not expire), or choose a duration you prefer - Enter your name and the email address linked to your GitHub account
- Set a passphrase (or leave blank for no passphrase)
Then find the key ID you just created:
gpg --list-secret-keys --keyid-format=longThe key ID is the long string after rsa4096/ on the sec line, for example 3AA5C34371567BD2.
Export your public key (replace YOUR_KEY_ID):
gpg --armor --export YOUR_KEY_IDCopy the full output, including:
-----BEGIN PGP PUBLIC KEY BLOCK----------END PGP PUBLIC KEY BLOCK-----
- Click your profile photo (top right of any GitHub page)
- Go to Settings
- In the left sidebar, click SSH and GPG keys
- Click New GPG key
- Paste the key you copied and click Add GPG key
- In GitHub, go to Settings then Codespaces
- Under GPG verification, select All repositories
- Click Save
GPG settings take effect after a restart.
- Visit https://github.com/codespaces
- Find your Codespace
- Click the three dots menu and select Stop Codespace
- Reopen the Codespace
Run these commands in the Codespace terminal:
git config --list --show-origin | grep -E 'commit.gpgsign|gpg.program|user.signingkey|user.name|user.email|credential.helper'
git config --show-origin --get commit.gpgsignThe second command should return true.
- If it returns
falseor nothing, restart your Codespace and try again. - If it still fails, check that your GPG key is added in Settings > SSH and GPG keys and that Codespaces GPG verification is set to All repositories.