TL;DR: Anyone can fake a Git commit author. By signing your commits with GPG or SSH, you cryptographically prove you are the real author. GitHub then shows a shiny "Verified" badge next to your commits.
🤔 Why Should You Care?
Here's a fun (or scary) fact: Git doesn't verify who you are. Anyone can run:
git config user.name "Linus Torvalds"
git config user.email "[email protected]"...and suddenly every commit looks like it came from Linus himself. In open-source projects and professional teams, that's a real trust problem. Commit signing solves this by attaching a cryptographic signature that proves the commit actually came from you.
If you're new to Git or want a refresher on how version control works under the hood, check out this post:
🔐 What Is Commit Signing?
When you sign a commit, Git uses a private key that only you have to create a digital signature. Anyone with your public key can verify the signature is genuine. There are two main approaches:
- GPG (GnuPG) — the classic method, widely supported, uses PGP key pairs
- SSH — the newer, simpler alternative (Git 2.34+), reuses your existing SSH key
Both achieve the same goal: a verified, tamper-proof identity on every commit.
🛠️ GPG Signing Setup (Step by Step)
1. Install GPG
Most systems either have it pre-installed or it's one command away:
# Linux (Debian/Ubuntu)
sudo apt install gnupg
# macOS (Homebrew)
brew install gnupg
# Windows — install Gpg4win
# https://www.gpg4win.org/Verify the installation:
gpg --version2. Generate a Key Pair
Create an RSA 4096-bit key. Make sure the email address matches your GitHub (or GitLab) email:
gpg --full-generate-keyWhen prompted:
- Key type: RSA and RSA
- Key size: 4096
- Expiration: choose what fits your workflow (e.g. 1 year, or no expiration)
- Name & email: use the same email as your Git/GitHub account
3. List and Export Your Key
Find your key ID:
gpg --list-secret-keys --keyid-format=longYou'll see output like:
sec rsa4096/ABCDEF1234567890 2024-01-01 [SC]
AAAAAABBBBBBCCCCCCDDDDDDABCDEF1234567890
uid [ultimate] Your Name <[email protected]>
ssb rsa4096/1234567890ABCDEF 2024-01-01 [E]The part after rsa4096/ is your key ID (here: ABCDEF1234567890). Export the public key:
gpg --armor --export ABCDEF12345678904. Add the Key to GitHub
- Copy the entire output (including
-----BEGIN PGP PUBLIC KEY BLOCK-----and-----END PGP PUBLIC KEY BLOCK-----) - Go to GitHub → Settings → SSH and GPG keys → New GPG key
- Paste and save
5. Configure Git
Tell Git to use your key and sign every commit automatically:
git config --global user.signingkey ABCDEF1234567890
git config --global commit.gpgsign trueOn macOS, you may also need to tell Git where GPG lives:
git config --global gpg.program $(which gpg)That's it — every git commit from now on will be signed.
🔑 SSH Signing (The Simpler Alternative)
Since Git 2.34, you can sign commits with an SSH key you probably already have. No GPG needed!
# Tell Git to use SSH for signing
git config --global gpg.format ssh
# Point to your SSH public key
git config --global user.signingkey ~/.ssh/id_ed25519.pub
# Auto-sign all commits
git config --global commit.gpgsign trueThen add the same SSH key to GitHub as a signing key (not just authentication):
- Go to GitHub → Settings → SSH and GPG keys → New SSH key
- Set Key type to "Signing Key"
- Paste your public key and save
That's literally all there is to it.
If you also use semantic versioning for your releases and tags, signing those tags adds another layer of trust:
✅ Verifying Signed Commits
Once signing is set up, you can verify commits locally:
git log --show-signature -1You'll see something like:
commit abc123...
gpg: Signature made Mon 01 Jan 2024 12:00:00 PM
gpg: Good signature from "Your Name <[email protected]>"
Author: Your Name <[email protected]>
...On GitHub, signed commits get a green "Verified" badge right next to the commit message. This tells everyone: "Yes, this person is who they claim to be."
🧯 Troubleshooting
Here are the most common issues and how to fix them:
- "gpg: signing failed: No secret key" — Your
user.signingkeydoesn't match any key in your keyring. Double-check withgpg --list-secret-keys. - "error: gpg failed to sign the data" — On macOS, try
export GPG_TTY=$(tty)in your shell profile. On some systems, the GPG agent needs a TTY to ask for your passphrase. - Commits show "Unverified" on GitHub — The email in your GPG/SSH key must match a verified email on your GitHub account.
- SSH signing doesn't work — Make sure you're on Git 2.34 or newer (
git --version). Also confirm you added the key as a signing key, not just an authentication key.
GPG agent keeps asking for passphrase — Configure gpg-agent with a longer cache timeout in ~/.gnupg/gpg-agent.conf:
default-cache-ttl 3600
max-cache-ttl 86400🎯 Conclusion
Signing your Git commits takes about five minutes to set up, and from that point on, every commit you make carries cryptographic proof of your identity. Whether you go with GPG (battle-tested, universal) or SSH (simple, modern), the result is the same: trust.
In a world where anyone can pretend to be anyone in a Git log, that little green "Verified" badge makes all the difference. Set it up once, forget about it, and let your commits speak for themselves — verifiably.
Discover more articles
Git Commits signieren: So verifizierst du deine Identität 🔏
Jeder kann in Git unter falschem Namen committen. Mit GPG- oder SSH-Signaturen stellst du sicher, dass deine Commits verifiziert und vertrauenswürdig sind.
Git: The history, use and benefits of source code management
Git explained: History, use and benefits of source code management. Learn about branching, commands and increasing productivity! 🚀