How to Verify Signed Git Commits
In this tutorial, you'll learn about How to Verify Signed Git Commits. We cover key concepts, practical examples, and best practices.
The Problem
You see gpg: Can't check signature: No public key or want to verify that commits in your repository are signed by trusted authors, but Git does not automatically validate signatures.
Quick Fix
Check Commit Signatures with --show-signature
git log --show-signature -1
# commit abc1234def5678...
# Good "gpg" signature with RSA key 12345678
# Author: Alice <alice@example.com>
# Date: Mon Jun 22 10:00:00 2026 +0000
#
# Added feature X
git log --show-signature displays the GPG signature verification status for each commit. Look for Good signature or Bad signature.
Import the Signer's Public Key
gpg --keyserver keys.openpgp.org --recv-key 12345678
# gpg: key 12345678: public key "Alice <alice@example.com>" imported
# gpg: Total number processed: 1
# gpg: imported: 1
Git needs the signer's public key to verify commits. Download it from a keyserver with gpg --recv-key.
Configure Git to Always Verify Signatures
git config --global log.showSignature true
git log -1
# commit abc1234def5678...
# Good "gpg" signature with RSA key 12345678
With log.showSignature true, every git log invocation automatically shows signature verification without requiring the --show-signature flag.
Verify All Commits in a Range
git verify-commit HEAD
# Good "gpg" signature with RSA key 12345678
git verify-commit HEAD~3..HEAD
# Good "gpg" signature with RSA key 12345678
# Good "gpg" signature with RSA key 87654321
Use git verify-commit to check individual commits or ranges. Combine with git log --format=%H to batch-verify a whole branch.
Automate Verification with a Shell Script
#!/bin/bash
# Verify all commits in a range
for commit in $(git log --format=%H main..feature); do
if ! git verify-commit "$commit" 2>/dev/null; then
echo "UNSIGNED: $commit"
fi
done
This script iterates over commits in a branch range and flags any that lack a valid GPG signature. Use it in CI pipelines to enforce signing policies.
Practice with a Test Repository
cd /tmp
mkdir git-practice && cd git-practice
git init --initial-branch=main
# Initialized empty Git repository in /tmp/git-practice/.git/
echo "test" > file.txt && git add . && git commit -m "init"
# [main (root-commit) abc1234] init
Before running destructive commands on your real repository, practice on a throwaway test repository. This builds confidence and prevents costly mistakes. The reflog is your safety net, but practice makes it less needed.
Additional Troubleshooting
# Check the error message and stack trace for more context
echo "Review the full error output to identify the root cause"
If the above steps do not resolve the issue, examine the complete error message and stack trace. Often the key detail is in the middle of the traceback rather than the final line. Search for the error message in the project documentation or issue tracker for additional solutions.
Prevention
- Import the signer's public key before attempting to verify their commits
- Configure
log.showSignatureglobally so you always see signature status - Require signed commits on your repository with commit signing and branch protection rules
- Rotate and expire GPG keys regularly; publish revocation certificates to keyservers
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro