Signing your git commits can be a valuable option when you have to prove that you are the author of commits or that a commit wasn’t changed by the other person using rebasing. There are few not so obvious steps needed to make it work
Generate your public/private keys
gpg --full-gen-key # gpg 2.x
gpg --gen-key # gpg 1.x
RSA and RSA
- Set keysize to
- Set validity period of your key (whatever suits you)
- Enter your details (your name and email). It should match your committer identity, otherwise you’ll have to manually inform git which key to use
Export your public key
- Get you public key by running:
gpg --list-secret-keys --keyid-format LONG
Find your key and copy the id, it’s preceded by
Then run export command:
gpg --armor --export 123456789ABCDEF0
and copy the output with your public key (along with
-----BEGIN PGP PUBLIC KEY BLOCK-----and
-----END PGP PUBLIC KEY BLOCK-----).
Add a public key to git repository
Go to your profile settings, to SSH and GPG keys section and click on
New GPG key
where you can paste and save your key.
Go to user settings, to GPG keys, paste your key and press
Setup your local repository and tools
Git repositories are aware now about your keys but we need to instruct git to use your key
We can do it both ways:
-Sswitch each time to sign a commit:
git commit -S -m add new feature
- Configure git to use signing as the default option:
git config --global commit.gpgsign true
In case of a linux distribution using gpg2 you have to set it explicitly:
git config --global gpg.program gpg2
Force which public key use to sign
In case of a mismatch between your git user email and email used for gpg keys, you can be explicit about the key used for signging:
git config --global user.signingkey 123456789ABCDEF0
Configure your IDE
In case committing with IDE like IntelliJ you have to configure the gpg to not use the terminal but rather it’s own GUI.
Just add the following line to
On the other hand it will lead to problems with committing using a ssh session, thus be aware that you have to switch on/off this option depending on whether or not you’re working remotely.
You can easily see which commits are signed and verified by using gitlab and github repository pages.
Every signed commit will have a nice green
Verified label. The other option to check it is to use
git log command:
git log --show-signature
After each signed commit you’ll see info from gpg about the status of the given commits (is it verified or not).