Signing commits

Definition

Signing a commit attaches a cryptographic signature that proves who created it and that its contents have not been altered. By default, the author name and email on a commit are just text — anyone can set them to anything. A signature, made with a private key only you hold, turns that claim into something verifiable. Signed commits earn the "Verified" badge on platforms like GitHub and GitLab.

Why sign commits

Git lets you set user.name and user.email to any value, so an unsigned commit is trivial to impersonate. For projects where provenance matters — security-sensitive code, open-source releases, regulated environments — signatures let reviewers confirm that a commit genuinely came from the claimed author. The signature also guarantees integrity: if a single byte of the commit changes, verification fails.

Signing with GPG

First, configure Git with the key you want to use:

git config --global user.signingkey <your-key-id>

Then sign a commit with the -S flag:

git commit -S -m "Add audited payment handler"

To sign a tag, use -s with git tag:

git tag -s v2.0.0 -m "Signed release 2.0.0"

Signing with SSH

Modern Git (2.34+) can sign with an SSH key, which is simpler if you already use one for authentication:

git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub

Commits then sign the same way, with -S.

Signing everything automatically

Typing -S on every commit is easy to forget. Turn on automatic signing so all commits are signed:

git config --global commit.gpgsign true
git config --global tag.gpgsign true

Verifying signatures

To check signatures locally, ask Git to show them:

git log --show-signature
git verify-commit <commit>
git verify-tag <tag>

Hosting platforms display a Verified badge once you have uploaded your public key to your account, so reviewers see authenticity at a glance.

Common options

Practice