What is Commit Signing?
Signing a commit is like adding your personal digital signature to your work.
- It proves that you really made the change.
- Helps others trust your code.
- Platforms like GitHub and GitLab show a Verified badge next to signed commits.
What is GPG?
GPG (GNU Privacy Guard) is a tool for creating and managing cryptographic keys.
Git uses GPG keys to:
- Sign commits and tags.
- Prove the commits were made by you.
- Ensure your code hasn't been tampered with.
Why and When Should You Sign Commits?
- To prove your commits really came from you.
- Increase trust in your contributions (especially for open source).
- Some teams or projects require signed commits for security.
- Unsigned commits are still valid, just not verified.
How to Set Up Commit Signing
1. Create a GPG key
If you don’t have one already:
gpg --full-generate-key
Follow the prompts to choose key type, size, and enter your name/email.
2. Find your GPG key ID
gpg --list-secret-keys --keyid-format=long
Look for:
sec rsa4096/1234ABCD5678EFGH
Use the part after the slash (1234ABCD5678EFGH) as your key ID.
3. Tell Git to use your GPG key
git config --global user.signingkey 1234ABCD5678EFGH
How to Sign Commits and Tags
What Command
Sign a commit git commit -S -m "message"
Sign a tag git tag -s v1.0 -m "version 1.0"
Sign all commits automatically
git config --global commit.gpgSign true
Check if a Commit is Signed
In Git:
git log --show-signature
Example output:
commit 1234abcd5678efgh
gpg: Signature made ...
gpg: Good signature from "Your Name <email@example.com>"
Author: Your Name
Date: ...
On GitHub/GitLab:
- Look for the Verified badge next to the commit or tag.
Troubleshooting Signed Commits
- GPG failed to sign the data: Ensure the GPG agent is running and your key is loaded.
- Wrong key used: Double-check the key ID set with user.signingkey.
- Still stuck? Search for the exact error message.
- Verify your Git and GPG installation
