Git Commit Signature Verification¶
Learn how to set up GPG commit signing to verify the authenticity of your Git commits and enhance your repository security.
Why Sign Your Commits?¶
- Authentication: Prove commits are actually from you
- Integrity: Ensure commits haven't been tampered with
- Trust: Build confidence in your codebase
- Compliance: Meet security requirements for sensitive projects
Prerequisites¶
Install GnuPG on your system:
Step 1: Generate GPG Key¶
Create a new GPG key pair with your details:
Choose:
- Key type: RSA and RSA (default)
- Key size: 4096 bits
- Expiration: 1-2 years (recommended)
- Enter your name and email (must match Git config)
Step 2: Export Public Key¶
Get your public key in text format:
Step 3: Add Key to GitHub¶
- Copy the public key content
- Go to GitHub Settings → SSH and GPG keys
- Click "New GPG key"
- Paste your public key
For detailed steps, check this comprehensive guide.
Step 4: Configure Git Client¶
First, find your secret key ID:
Look for the key ID after rsa4096/ in the output.
Then configure Git:
git config --global user.signingkey [secret-key-id]
git config --global commit.gpgsign true
git config --global gpg.program $(which gpg)
Step 5: Sign Your Commits¶
Now all commits will be signed automatically, or manually sign:
Verification¶
Verify signed commits:
On GitHub, signed commits show a "Verified" badge.
Troubleshooting¶
GPG Agent Issues¶
Key Expiration¶
Best Practices¶
- ✅ Use strong passphrases
- ✅ Backup your private key securely
- ✅ Set reasonable expiration dates
- ✅ Revoke compromised keys immediately
- ✅ Use different keys for different purposes
Next Steps¶
- Set up commit signing in your IDE
- Configure organization-wide signing policies
- Explore advanced GPG features
- Learn about signed tags
Secure your commits, secure your code! 🔐