Security

GPG Signing & Git Commit Verification

A systematic guide to signing Git commits and tags with GPG, configuring verification, and enforcing signing policies in teams.

Who This Is For
  • Developers who need to configure Git security and authentication
Prerequisites
  • Basic SSH concepts
  • Command-line experience
Common Risks
  • Poor key management leading to security leaks
  • Not understanding signing policy causing verification failures

One-Sentence Understanding

GPG signing adds a cryptographic signature to your Git commits and tags, allowing anyone to verify that the commit genuinely came from you — not an imposter.

Why GPG Signing?

Git's commit author information (name + email) is plain text — anyone can fake it:

git config user.name "Linus Torvalds"
git config user.email "torvalds@linux-foundation.org"
git commit -m "This isn't Linus's commit"

GPG signing cryptographically verifies the commit's authenticity.

Quick Start

Install GPG

# macOS
brew install gpg

# Ubuntu
sudo apt install gpg

# Windows
choco install gpg4win

Generate GPG Key

gpg --full-generate-key

# Choose RSA and RSA (default)
# Key size: 4096
# Expiration: 2 years (recommended)
# Name and email must match Git config

List and Export Keys

# List private keys
gpg --list-secret-keys --keyid-format LONG

# Export public key (paste output to GitHub/GitLab)
gpg --armor --export KEY_ID

Configure Git

Set Signing Key

# Find your key ID
gpg --list-secret-keys --keyid-format LONG

# Configure Git
git config --global user.signingkey KEY_ID

# Optional: sign all commits
git config --global commit.gpgsign true

Sign Commits

# Sign individual commits
git commit -S -m "signed commit"

# With commit.gpgsign true
git commit -m "automatically signed"

Sign Tags

# Create signed tag
git tag -s v1.0.0 -m "v1.0.0 release"

# Verify tag
git tag -v v1.0.0

Verification

Local Verification

# Verify commit signature
git log --show-signature -1

# Verify all commits
git log --show-signature

# Show signature status only
git log --format="%H %G? %GS"

The %G? format shows verification status:

  • G: Good signature
  • B: Bad signature
  • U: Unknown signer key
  • N: No signature

GitHub/GitLab Verification

After adding your GPG public key, verified commits display a "Verified" badge.

Team Signing Policies

Enforce Signed Commits

On GitHub:

Settings → Branches → Branch protection rules
  → Require signed commits

On GitLab:

Settings → Repository → Protected Branches
  → Require signature on commits

Verify in CI

- name: Verify commit signature
  run: |
    git log --show-signature -1
    git verify-commit HEAD

GPG vs SSH Signing

Git 2.34+ supports SSH signing as a lighter alternative:

FactorGPG SigningSSH Signing
Key managementSeparate PKIReuses SSH keys
ComplexityHigherLower
Platform supportUniversalNewer only
Best forOpen source, complianceInternal teams

Continue Learning

  1. best-practices/security-with-git — Git security best practices
  2. SSH key management
  3. workflows/signing-commits-workflow — Signed commit workflow

Related Reads

CommandsExtended
SSH Key Management & Git Authentication

Previous / Next

PreviousSSH Key Management & Git AuthenticationCommands
NextNo more reads in this direction