Signed Commits: GPG & SSH Signing for Git Authentication
In this tutorial, you'll learn about Signed Commits: GPG & SSH Signing for Git Authentication. We cover key concepts, practical examples, and best practices.
Commit signing uses cryptographic keys to attach a digital signature to each commit, proving the author's identity and preventing impersonation.
In this tutorial, you'll learn how to sign Git commits with GPG and SSH keys. Signed commits prove that the author is who they claim to be, protecting your project from impersonation and tampering. By the end, you'll generate keys, configure Git to sign automatically, and display verified badges on GitHub and GitLab.
flowchart LR A[Generate GPG key] --> B[Add public key to GitHub] B --> C[Configure Git to sign commits] C --> D[git commit -S -m "message"] D --> E[Git signs the commit] E --> F[Push to GitHub] F --> G[GitHub shows Verified badge]
GPG Key Generation
Generate a GPG key pair for signing:
gpg --full-generate-key
Follow the prompts:
- Select
RSA and RSA(default) - Enter 4096 bits
- Set expiry (1 year recommended)
- Enter your name and email (must match your Git config)
- Set a passphrase
Expected output:
gpg: key 1A2B3C4D5E6F7G8H marked as ultimately trusted
public and secret key created and signed.
Listing Your GPG Keys
gpg --list-secret-keys --keyid-format LONG
Expected output:
/home/user/.gnupg/secring.gpg
----------------------------------------
sec rsa4096/1A2B3C4D5E6F7G8H 2026-06-22
uid [ultimate] Your Name <you@example.com>
ssb rsa4096/ABCDEF1234567890
Adding GPG Key to Git
# Configure signing key
git config --global user.signingkey 1A2B3C4D5E6F7G8H
# Sign all commits by default
git config --global commit.gpgsign true
# Export public key
gpg --armor --export 1A2B3C4D5E6F7G8H
Add the exported public key to GitHub: Settings > SSH and GPG keys > New GPG key.
Signing Commits
Sign a specific commit:
git commit -S -m "Signed commit message"
With commit.gpgsign true, regular commits are automatically signed:
git commit -m "Auto-signed"
SSH Signing (Alternative)
Git 2.34+ supports SSH commit signing:
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
Add your SSH public key to GitHub for SSH signing.
Verifying Signatures
git log --show-signature
Expected output:
commit a1b2c3d...
Good "git" signature for you@example.com with RSA key 1A2B3C4D
Author: Your Name <you@example.com>
Date: Mon Jun 22 10:00:00 2026 +0000
Verified commit
Verify a single commit:
git verify-commit HEAD
Setting Up on GitLab
GitLab also supports verified commits:
# Same GPG setup, add key in GitLab
# Settings > GPG Keys > Add key
Comparison: GPG vs SSH Signing
| Feature | GPG Signing | SSH Signing |
|---|---|---|
| Key generation | gpg --full-generate-key |
ssh-keygen -t ed25519 |
| Key size | 2048-4096 bits | 256-4096 bits |
| Ecosystem | PGP web of trust | Simple key management |
| Git version | All versions | 2.34+ |
| Platform support | GitHub, GitLab, Bitbucket | GitHub, GitLab |
| Passphrase | Required | Optional (SSH agent) |
| Default for Git | Standard | Newer alternative |
Common Errors
| Error | Cause | Fix |
|---|---|---|
gpg: signing failed: secret key not available |
Wrong key ID in config | Check user.signingkey matches gpg --list-secret-keys |
gpg: can't sign: No secret key |
GPG key not locally available | Import or regenerate key |
| Commit not showing Verified on GitHub | Public key not added to GitHub | Add GPG public key in GitHub settings |
error: gpg failed to sign the data |
GPG agent issue | export GPG_TTY=$(tty) in shell config |
Could not find SSH signing key |
Key path wrong | Verify user.signingkey path |
Please tell me who you are |
Email mismatch | GPG key email must match Git email |
gpg: signing failed: Inappropriate ioctl |
Terminal for passphrase | Add export GPG_TTY=$(tty) to ~/.bashrc |
| Commit signed but badge missing | Commit author not matching key email | Author email must match GPG key UID |
Practice Questions
Challenge
Generate a new GPG key pair specifically for open-source work. Configure Git to use it globally. Make three signed commits. Verify the signatures using git log --show-signature. Export the public key and add it to your GitHub account. Create a new repository and push the commits — verify the "Verified" badges appear on GitHub.
Real-World Task
In a team repository, enforce commit signing using a server-side pre-receive hook or branch protection rule requiring signed commits. Set up a CI/CD job that verifies all commits in a pull request are signed before allowing merge. Configure automated key rotation where GPG keys are regenerated yearly and updated in the repository's CI configuration. This signing enforcement is standard at DodaTech for all production repositories including Durga Antivirus Pro's codebase.
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro