I recently discovered an interesting thing you can do with git commits. Signing individual commits. Now I know that this may not be new to a lot of people, but from my experience looking around GitHub, it doesn’t appear as though many people do it. In fact I’ve only seen one person other than myself with verified commits! So I wanted to share with you all today, how you can sign your own commits.

How to make a GPG Key

  1. First make sure you have GNU Privacy Guard on your machine
  2. Open a terminal and type out
  3. At the prompt, specify the kind of key you want (default )
  4. Enter the desired size and expiration time (you can set it to never expire)
  5. Enter an ID and Secure Password
  6. Use to get a list of your keys
/Users/devinmatte/.gnupg/secring.gpg
------------------------------------
sec 4096R/3AA5C34371567BD2 2017-04-17 [expires: 2017-04-18]
uid devinmatte
ssb 4096R/42B317FD4BA89E7A 2017-04-17

Signing Commits

Now that you have a GPG key. It’s time to use it with git. You’ll need to tell git about your key.

Step 1

Open a terminal and type out

$ gpg --list-secret-keys --keyid-format LONG
/Users/devinmatte/.gnupg/secring.gpg
------------------------------------
sec 4096R/3AA5C34371567BD2 2017-04-17 [expires: 2017-04-18]
uid devinmatte
ssb 4096R/42B317FD4BA89E7A 2017-04-17

Step 2

Set git to use that key

Now you’re set up to start signing commits. The way you’d do that is with . However you really should want to sign all your commits. So it's quite obvious that your work is yours.

Step 3

Set the default status on git:

  • sets All Commits inside All Repositories on your machine to default as signed.
  • sets All Commits inside a single repository on your machine to default as signed.

Step 4

Now when you first set this up you may experience the annoyance of typing in your password every time you make a commit. This can be annoying. You’ll also notice that it breaks commit functionality in other programs such as Jetbrains IDEs. So I looked around and found a simple solution

  • Edit and add these two lines to the bottom:
no-tty
use-agent
  • Now your password will be saved, and third party software will be able to commit like normal. Except now, all your commits are signed!

Verifying Commits Online

Now one of the points of this, is to show inside your repositories that you’ve signed your commits, and that there is 100% certainty that you verify these commits are from you, and can be trusted. So in order to display this, first you’ll need to export your GPG key to verify your commits online:

  1. Export your full chain
  2. Copy your GPG key, beginning with and ending with
  3. Copy that to GitHub using the instructions from their site.

So once you have your GPG key added to GitHub, all signed commits will display as verified. Currently it appears that GitHub and GitLab both support GPG signing in their UI.

Interested to learn more? Read the documentation on git’s site

Originally published at https://devinmatte.me.

Software Engineering Student at Rochester Institute of Technology with a focus on Full Stack Web Development and DevOps

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store