Entelligo Logo

How to Setup Signed Commit in Git

Published: 7 Sep, 2025

When you're working on a project with others, it's important to know that the changes you're looking at are genuine. By digitally signing your commits in Git, you add a layer of trust to your code. It proves that the changes came from an authenticated source—you!—which helps everyone feel more confident in the project's security and integrity.

Why should we care about Signed Commits?

  1. Protects against impersonation by ensuring commits are genuinely from you.

  2. Git hosting services like GitHub and GitLab mark signed commits as "Verified," increasing trust.

Prerequisites

  1. Git

  2. GPG

Step 1: Generate a GPG Key

gpg --full-generate-key

  • Choose key type (default is RSA and RSA).

  • Set key size (e.g., 4096 bits).

  • Set key expiration.

  • Enter your name and email

  • Set a secure passphrase.

Once generated, list your keys with:

gpg --list-secret-keys --keyid-format LONG

Copy the GPG key ID from the output.

Step 2: Add Your GPG Key to Git

Tell Git which GPG key to use for signing:

git config --global user.signingkey <your-key-id>

Example:

git config --global user.signingkey 3AA5C34371567BD2

Step 3: Enable Commit Signing by Default

Make Git sign every commit automatically by default:

git config --global commit.gpgsign true

Step 4: Export and Add the Public Key to GitHub/GitLab

Export your public key to add it to your Git hosting service:

gpg --armor --export <your-key-id>

Copy the output and add it to GitHub under Settings > SSH and GPG keys > New GPG key or GitLab under User Settings > GPG Keys.

Step 5: Make a Signed Commit

Now, whenever you commit, Git will sign it automatically, or you can explicitly add the `-S` flag to sign individual commits:

git commit -S -m "Your signed commit message"

You will be prompted for your GPG passphrase the first time.

Step 6: Verify Signed Commits

You can verify signed commits locally with:

git log --show-signature -1

On GitHub/GitLab, signed commits will show a "Verified" badge.

References

Share this article

  • Twitter icon
  • Linkedin icon