Recipe: Signed commits + branch protection

Enforce cryptographic commit signing and block unsigned pushes across your GitHub organization.

1. Generate a signing key

gpg --full-generate-key
# RSA 4096, 2y expiry, your@email.com

git config --global user.signingkey KEYID
git config --global commit.gpgsign true

Export your public key and add it under Settings → SSH and GPG keys.

gpg --armor --export KEYID | pbcopy

In your repo, go to Settings → Branches → Add rule. Set the pattern to main and check Require signed commits.

git log --show-signature -1

Look for Good signature in the output. Unsigned pushes will now be rejected.

Pro tip: Combine this with required PR reviews for a complete supply-chain integrity setup.