How to Setup Signed Commit in Git
Published: 7 Sep, 2025
Written by
Amit Pradhan
Developer at Entelligo
When you're working on a project with others, it's important to know that the changes you're looking at are genuine. By digitally signing your commits in Git, you add a layer of trust to your code. It proves that the changes came from an authenticated source—you!—which helps everyone feel more confident in the project's security and integrity.
Why should we care about Signed Commits?
Protects against impersonation by ensuring commits are genuinely from you.
Git hosting services like GitHub and GitLab mark signed commits as "Verified," increasing trust.
Prerequisites
Git
GPG
Step 1: Generate a GPG Key
gpg --full-generate-key
Choose key type (default is RSA and RSA).
Set key size (e.g., 4096 bits).
Set key expiration.
Enter your name and email
Set a secure passphrase.
Once generated, list your keys with:
gpg --list-secret-keys --keyid-format LONG
Copy the GPG key ID from the output.
Step 2: Add Your GPG Key to Git
Tell Git which GPG key to use for signing:
git config --global user.signingkey <your-key-id>
Example:
git config --global user.signingkey 3AA5C34371567BD2
Step 3: Enable Commit Signing by Default
Make Git sign every commit automatically by default:
git config --global commit.gpgsign true
Step 4: Export and Add the Public Key to GitHub/GitLab
Export your public key to add it to your Git hosting service:
gpg --armor --export <your-key-id>
Copy the output and add it to GitHub under Settings > SSH and GPG keys > New GPG key or GitLab under User Settings > GPG Keys.
Step 5: Make a Signed Commit
Now, whenever you commit, Git will sign it automatically, or you can explicitly add the `-S` flag to sign individual commits:
git commit -S -m "Your signed commit message"
You will be prompted for your GPG passphrase the first time.
Step 6: Verify Signed Commits
You can verify signed commits locally with:
git log --show-signature -1
On GitHub/GitLab, signed commits will show a "Verified" badge.
