Security

Advanced Commit Signing

Deep dive into Git commit signing techniques including SSH signing, auto-signing configuration, verification policies, and team signing conventions.

Who This Is For
  • Developers who need to configure Git security and authentication
Prerequisites
  • Basic SSH concepts
  • Command-line experience
Common Risks
  • Poor key management leading to security leaks
  • Not understanding signing policy causing verification failures

Citations & Further Reading

  1. Git commit [Official]
  2. Managing commit signature verification [Discussion]

What you will learn

  • Understand the core purpose of Advanced Commit Signing
  • Master the basic usage and common options of Advanced Commit Signing
  • Deep dive into Git commit signing techniques including SSH signing, auto-signing configuration, verification policies, and team signing conventions.
  • Understand key concepts: Overview
  • Know when to use this feature and when to avoid it

Start with a problem

You're concerned about Git repository security — maybe key management isn't ideal, or commits aren't signed. You're not sure if your security setup is sufficient or where to start hardening it.

Overview

GPG is the traditional commit signing method, but SSH signing and signature policies now offer more options. This guide covers SSH signing (introduced in Git 2.34+) and team-level verification strategies.

Signing Method Comparison

MethodProsConsGit Version
GPGWidest supportComplex setup, key management1.7.9+
SSHReuses SSH keys, simple setupRelatively new2.34+
S/MIMEEnterprise PKI integrationExpensive certs, complex2.19+

SSH Signing

Git 2.34+ supports signing commits and tags directly with SSH keys.

Configuration

# Use existing SSH key
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub

# Enable auto-signing
git config --global commit.gpgsign true
git config --global tag.gpgsign true

Add Public Key to Hosting Platform

Add your SSH public key (.pub file contents) to GitHub/GitLab's Signing keys or SSH keys settings.

Verify Signatures

# Check the latest commit's signature
git log --show-signature -1

# On GitHub: configure SSH key with "Sign commits and tags" enabled

Auto-Signing Setup

macOS Configuration

# gpg-agent (GPG method)
echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
gpgconf --kill gpg-agent

# SSH method (no extra setup needed, uses ssh-agent)

Signing in CI

# GitHub Actions with GPG signing
jobs:
  commit:
    steps:
      - uses: actions/checkout@v4
      - name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v6
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}
      - name: Commit
        run: |
          git config user.signingkey ${{ steps.import-gpg.outputs.fingerprint }}
          git commit -S -m "ci: update generated files"

Team Signing Policy

Enforcing Signatures

# Local: reject unsigned commits
git config --global commit.gpgsign true

# Repository (GitHub): Enable Branch protection → Require signed commits

Signing Convention

1. Every commit must be signed
2. SSH signing recommended (or GPG)
3. Each developer needs their own signing key
4. Revoke and replace keys when compromised

Audit Signatures

# Check which commits are unsigned
git log --pretty="%H %aN <%aE>%n  signed: %G?%n"

# Output:
# abc1234 Alice <alice@example.com>
#   signed: G       # Good signature
# def5678 Bob <bob@example.com>
#   signed: N       # Not signed

Troubleshooting

SSH Signature Not Showing as Verified

  1. Confirm public key is added to the hosting platform's Signing keys
  2. SSH key must be loaded into ssh-agent
  3. Check Git version (needs 2.34+)

Multiple Key Management

# Use different signing keys per repository
git config --local user.signingkey ~/.ssh/work.pub

Try it yourself

  1. Practice the signing-advanced command in a test repository and observe state changes before and after
  2. Experiment with different options and compare the output differences
  3. Simulate a real scenario where you would need to use this, and walk through the full process

Continue Learning

  1. security/gpg-signing — GPG signing basics
  2. security/ssh-key-management — SSH key management
  3. security/credential-helper — Credential helper setup

Further reading

Keep going on the same topic: