Chapter 46: Git Signing
Git Signing (also called signed commits, GPG-signed commits, or commit signing)
This is the part where Git stops being just a version control system and starts being a cryptographically verifiable chain of authorship — the same level of trust you get with HTTPS certificates or software releases from serious companies.
Many developers never touch this until they:
- work on open-source projects that require signed commits
- join a company with strict security policies (especially finance, defense, healthcare, blockchain)
- want to prove “yes, this commit really came from me — nobody tampered with it”
- get asked in interviews: “Do you sign your commits? Why / why not?”
So today I’m going to explain Git commit signing like I’m sitting next to you setting it up together — very slowly, with real commands, real outputs, the exact security model, why it matters in 2026, and a complete realistic example you can follow right now.
1. What is Git Signing / Signed Commits? (very simple explanation)
When you do a normal git commit, Git records:
- author name + email
- date
- message
- changes (tree hash)
But nothing cryptographically proves that this commit really came from the person whose name/email is written there. Anyone who gets write access to your machine or GitHub account can commit as “Webliance” and push.
Signed commit = you attach a digital signature (using GPG / OpenPGP or SSH key) to the commit.
- The signature is created with your private key (only you have it)
- GitHub / GitLab / others verify it with your public key (uploaded to your profile)
- If signature matches → green “Verified” badge appears on GitHub
- If someone tampers with the commit → signature becomes invalid
Analogy most people understand:
Normal commit = you wrote a letter and signed it with your name in pen Signed commit = you wrote the letter + added your handwritten signature + notary stamp + fingerprint — now nobody can convincingly fake it
2. Two Main Ways to Sign Commits in 2026
| Method | Technology | Pros | Cons / Requirements | Most common in 2026 |
|---|---|---|---|---|
| GPG | OpenPGP (GnuPG) | Strong trust model, widely supported, long keys | Need to generate & manage GPG key, upload public key to GitHub | Open-source maintainers, security-conscious teams |
| SSH | Your SSH key | No extra key to manage (you already have SSH) | Slightly less flexible, GitHub only since ~2022 | Developers who already use SSH for push/pull |
GPG is still the gold standard in open-source and high-security environments (Linux kernel, major OSS projects). SSH signing is very convenient and gaining popularity fast because most people already have SSH keys set up.
3. Realistic Example – Set Up & Use GPG Signing (most common serious way)
Step 1 – Install GPG (if not already)
Windows: Gpg4win macOS: brew install gnupg Linux: sudo apt install gnupg or sudo dnf install gnupg
Step 2 – Generate a GPG key (if you don’t have one)
|
0 1 2 3 4 5 6 |
gpg --full-generate-key |
Follow prompts:
- Kind: RSA and RSA (default)
- Keysize: 4096 bits (strong)
- Expiration: 2–3 years (recommended)
- Name: Webliance
- Email: your-github-email@example.com
- Passphrase: strong one (you’ll type it when signing)
Copy the key ID (long hex string, e.g. A1B2C3D4E5F67890)
|
0 1 2 3 4 5 6 |
gpg --list-secret-keys --keyid-format=long |
Look for sec rsa4096/A1B2C3D4E5F67890 → that’s your key ID.
Step 3 – Export public key & add to GitHub
|
0 1 2 3 4 5 6 |
gpg --armor --export A1B2C3D4E5F67890 |
Copy everything (starts with —–BEGIN PGP PUBLIC KEY BLOCK—–)
Go to GitHub → Settings → SSH and GPG keys → New GPG key Paste → Add GPG key
Step 4 – Tell Git to use your key
|
0 1 2 3 4 5 6 7 8 9 |
git config --global user.signingkey A1B2C3D4E5F67890 git config --global commit.gpgsign true # optional: always sign tags too git config --global tag.gpgsign true |
Step 5 – Make a signed commit
|
0 1 2 3 4 5 6 7 8 |
echo "Signed commit test" >> README.md git add README.md git commit -S -m "test: signed commit example" |
→ It will ask for your GPG passphrase
Output:
|
0 1 2 3 4 5 6 7 |
[main 89abcde] test: signed commit example 1 file changed, 1 insertion(+) |
Step 6 – Push & check verification
|
0 1 2 3 4 5 6 |
git push |
Now go to GitHub → your commit → You should see green Verified badge next to commit message!
Click it → “Verified by GitHub” + shows your public key.
4. Quick SSH Signing Alternative (easier if you already use SSH)
Since Git 2.34+ and GitHub 2022:
|
0 1 2 3 4 5 6 7 8 |
git config --global gpg.format ssh git config --global user.signingkey ~/.ssh/id_ed25519.pub git config --global commit.gpgsign true |
Now commits signed with your SSH key → GitHub shows “Verified” using your uploaded SSH public key.
5. Common Signing Gotchas & Fixes (2026)
| Problem | Fix |
|---|---|
| “gpg: signing failed: No secret key” | Forgot to set user.signingkey or key not in gpg keyring |
| Passphrase asked every commit | Use gpg-agent with cache timeout or pinentry GUI |
| No “Verified” badge on GitHub | Public key not uploaded to GitHub profile or wrong email |
| Signing slows down commits | Normal first time — agent caches passphrase after that |
| Want to sign old commits retroactively | git rebase -i –gpg-sign or git commit –amend -S |
Got the signing feeling now?
Git Signing = “cryptographically prove this commit really came from me — nobody tampered with it”
It’s standard in serious open-source, security-sensitive companies, and any project where trust matters.
Next?
- Want to set up GPG agent so passphrase is asked only once per session?
- See how to verify signatures on other people’s commits?
- Or do one final big summary of all Git concepts we covered today?
Just tell me — we’ll finish strong. You’ve now gone from zero to very advanced Git — truly impressive work! 🚀
