Skip to content

Signed Commits: GPG & SSH Signing for Git Authentication

DodaTech Updated 2026-06-22 5 min read

In this tutorial, you'll learn about Signed Commits: GPG & SSH Signing for Git Authentication. We cover key concepts, practical examples, and best practices.

Commit signing uses cryptographic keys to attach a digital signature to each commit, proving the author's identity and preventing impersonation.

In this tutorial, you'll learn how to sign Git commits with GPG and SSH keys. Signed commits prove that the author is who they claim to be, protecting your project from impersonation and tampering. By the end, you'll generate keys, configure Git to sign automatically, and display verified badges on GitHub and GitLab.

flowchart LR
  A[Generate GPG key] --> B[Add public key to GitHub]
  B --> C[Configure Git to sign commits]
  C --> D[git commit -S -m "message"]
  D --> E[Git signs the commit]
  E --> F[Push to GitHub]
  F --> G[GitHub shows Verified badge]

GPG Key Generation

Generate a GPG key pair for signing:

gpg --full-generate-key

Follow the prompts:

  1. Select RSA and RSA (default)
  2. Enter 4096 bits
  3. Set expiry (1 year recommended)
  4. Enter your name and email (must match your Git config)
  5. Set a passphrase

Expected output:

gpg: key 1A2B3C4D5E6F7G8H marked as ultimately trusted
public and secret key created and signed.

Listing Your GPG Keys

gpg --list-secret-keys --keyid-format LONG

Expected output:

/home/user/.gnupg/secring.gpg
----------------------------------------
sec   rsa4096/1A2B3C4D5E6F7G8H 2026-06-22
uid                 [ultimate] Your Name <you@example.com>
ssb   rsa4096/ABCDEF1234567890

Adding GPG Key to Git

# Configure signing key
git config --global user.signingkey 1A2B3C4D5E6F7G8H

# Sign all commits by default
git config --global commit.gpgsign true

# Export public key
gpg --armor --export 1A2B3C4D5E6F7G8H

Add the exported public key to GitHub: Settings > SSH and GPG keys > New GPG key.

Signing Commits

Sign a specific commit:

git commit -S -m "Signed commit message"

With commit.gpgsign true, regular commits are automatically signed:

git commit -m "Auto-signed"

SSH Signing (Alternative)

Git 2.34+ supports SSH commit signing:

git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub

Add your SSH public key to GitHub for SSH signing.

Verifying Signatures

git log --show-signature

Expected output:

commit a1b2c3d...
Good "git" signature for you@example.com with RSA key 1A2B3C4D
Author: Your Name <you@example.com>
Date:   Mon Jun 22 10:00:00 2026 +0000

    Verified commit

Verify a single commit:

git verify-commit HEAD

Setting Up on GitLab

GitLab also supports verified commits:

# Same GPG setup, add key in GitLab
# Settings > GPG Keys > Add key

Comparison: GPG vs SSH Signing

Feature GPG Signing SSH Signing
Key generation gpg --full-generate-key ssh-keygen -t ed25519
Key size 2048-4096 bits 256-4096 bits
Ecosystem PGP web of trust Simple key management
Git version All versions 2.34+
Platform support GitHub, GitLab, Bitbucket GitHub, GitLab
Passphrase Required Optional (SSH agent)
Default for Git Standard Newer alternative

Common Errors

Error Cause Fix
gpg: signing failed: secret key not available Wrong key ID in config Check user.signingkey matches gpg --list-secret-keys
gpg: can't sign: No secret key GPG key not locally available Import or regenerate key
Commit not showing Verified on GitHub Public key not added to GitHub Add GPG public key in GitHub settings
error: gpg failed to sign the data GPG agent issue export GPG_TTY=$(tty) in shell config
Could not find SSH signing key Key path wrong Verify user.signingkey path
Please tell me who you are Email mismatch GPG key email must match Git email
gpg: signing failed: Inappropriate ioctl Terminal for passphrase Add export GPG_TTY=$(tty) to ~/.bashrc
Commit signed but badge missing Commit author not matching key email Author email must match GPG key UID

Practice Questions

Why should I sign commits?

Signed commits prove that the commit author is verified. They prevent impersonation — without signing, anyone can set any name and email in their Git config. GitHub and GitLab display a "Verified" badge next to signed commits, building trust in your project's history.

What is the difference between GPG and SSH signing for Git?

GPG signing uses PGP keys with a longer history and wider ecosystem. SSH signing reuses your existing SSH keys for Git commit signing, simplifying key management. SSH signing requires Git 2.34+. Both provide equivalent security.

How do I make Git sign every commit automatically?

Configure git config --global commit.gpgsign true. After this, every git commit (without the -S flag) will be automatically signed using your default signing key.

Why is my commit not showing as Verified on GitHub?

Common reasons: (1) The public key was not added to GitHub, (2) the commit author email does not match the GPG key email, or (3) the GPG key has expired. Check the author email with git log and verify it matches the key's UID.

Can I have multiple signing keys?

Yes. Use git config user.signingkey <key-id> per repository for different keys, or --global for a single key across all repos. You can set different keys for work and personal projects

Challenge

Generate a new GPG key pair specifically for open-source work. Configure Git to use it globally. Make three signed commits. Verify the signatures using git log --show-signature. Export the public key and add it to your GitHub account. Create a new repository and push the commits — verify the "Verified" badges appear on GitHub.

Real-World Task

In a team repository, enforce commit signing using a server-side pre-receive hook or branch protection rule requiring signed commits. Set up a CI/CD job that verifies all commits in a pull request are signed before allowing merge. Configure automated key rotation where GPG keys are regenerated yearly and updated in the repository's CI configuration. This signing enforcement is standard at DodaTech for all production repositories including Durga Antivirus Pro's codebase.


Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro