How to produce signed and verified GitHub commits
With a number of configuration steps you can produce signed and verified GitHub commits from Glamorous Toolkit.
GitHub commit signature verification is described in https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification
The reason signatures and verifications are useful is because the git config options user.name and user.email can be set to anything.
Use Libgit-CLI
The functionality described here is only available through the Libgit-CLI implementation. See Using Libgit-CLI as an alternative to Libgit2 FFI in Iceberg for installation and setup instructions.
Setup
The simplest route is to upload your SSH key again as signing key and set 2 git config options:
git config --global gpg.format ssh
git config --global user.signingkey /full/path/to/your/key
Now enable the signing of commits in IceGitCliPlatform
IceGitCliPlatform current signCommits: true
This basically adds the -S option to git commit operations.
You can verify your settings by looking at the Details and Config inspector views of the current platform and by running the Validate action.
IceGitCliPlatform current
In the GitHub web interface, properly signed commits are marked as verified using a green label.
Here is an example of a signed and verified commit: https://github.com/feenkcom/gt4git/commit/dcc47828dd932e059c8315e918e791f1b99f117c