Skip to content

How to Verify Signed Git Commits

DodaTech 2 min read

In this tutorial, you'll learn about How to Verify Signed Git Commits. We cover key concepts, practical examples, and best practices.

The Problem

You see gpg: Can't check signature: No public key or want to verify that commits in your repository are signed by trusted authors, but Git does not automatically validate signatures.

Quick Fix

Check Commit Signatures with --show-signature

git log --show-signature -1
# commit abc1234def5678...
# Good "gpg" signature with RSA key 12345678
# Author: Alice <alice@example.com>
# Date:   Mon Jun 22 10:00:00 2026 +0000
# 
#     Added feature X

git log --show-signature displays the GPG signature verification status for each commit. Look for Good signature or Bad signature.

Import the Signer's Public Key

gpg --keyserver keys.openpgp.org --recv-key 12345678
# gpg: key 12345678: public key "Alice <alice@example.com>" imported
# gpg: Total number processed: 1
# gpg:               imported: 1

Git needs the signer's public key to verify commits. Download it from a keyserver with gpg --recv-key.

Configure Git to Always Verify Signatures

git config --global log.showSignature true
git log -1
# commit abc1234def5678...
# Good "gpg" signature with RSA key 12345678

With log.showSignature true, every git log invocation automatically shows signature verification without requiring the --show-signature flag.

Verify All Commits in a Range

git verify-commit HEAD
# Good "gpg" signature with RSA key 12345678
git verify-commit HEAD~3..HEAD
# Good "gpg" signature with RSA key 12345678
# Good "gpg" signature with RSA key 87654321

Use git verify-commit to check individual commits or ranges. Combine with git log --format=%H to batch-verify a whole branch.

Automate Verification with a Shell Script

#!/bin/bash
# Verify all commits in a range
for commit in $(git log --format=%H main..feature); do
    if ! git verify-commit "$commit" 2>/dev/null; then
        echo "UNSIGNED: $commit"
    fi
done

This script iterates over commits in a branch range and flags any that lack a valid GPG signature. Use it in CI pipelines to enforce signing policies.

Practice with a Test Repository

cd /tmp
mkdir git-practice && cd git-practice
git init --initial-branch=main
# Initialized empty Git repository in /tmp/git-practice/.git/
echo "test" > file.txt && git add . && git commit -m "init"
# [main (root-commit) abc1234] init

Before running destructive commands on your real repository, practice on a throwaway test repository. This builds confidence and prevents costly mistakes. The reflog is your safety net, but practice makes it less needed.

Additional Troubleshooting

# Check the error message and stack trace for more context
echo "Review the full error output to identify the root cause"

If the above steps do not resolve the issue, examine the complete error message and stack trace. Often the key detail is in the middle of the traceback rather than the final line. Search for the error message in the project documentation or issue tracker for additional solutions.

Prevention

  • Import the signer's public key before attempting to verify their commits
  • Configure log.showSignature globally so you always see signature status
  • Require signed commits on your repository with commit signing and branch protection rules
  • Rotate and expire GPG keys regularly; publish revocation certificates to keyservers

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro