Back

How to sign your git commits with GPG keys

OpenReplay Team OpenReplay Team

May 8, 2025 · 2 min read

How to sign your git commits with GPG keys

When you look at open-source repositories or professional projects, you may notice that some commits have a “Verified” badge. These signed commits prove the author’s identity and add an extra layer of trust to the codebase.

Signing your Git commits with GPG keys is simple to set up and provides clear proof that commits actually came from you.

In this article, you’ll learn how to create a GPG key, configure Git to use it, and start signing your commits automatically.

Key Takeaways

  • Signing Git commits verifies your identity and improves project trust
  • Setting up GPG commit signing involves generating a key and configuring Git
  • Signed commits are especially important for open-source and enterprise work

Why sign Git commits?

  • Proof of authorship: Others can verify that a commit was made by you, not someone impersonating you.
  • Trust and security: Critical in open-source, enterprise, and sensitive repositories.
  • Professional standards: Increasingly expected in many engineering workflows.

Signed commits show up with a “Verified” label on platforms like GitHub.

How to generate a GPG key

First, check if you already have a GPG key:

gpg --list-secret-keys --keyid-format=long

If you need to create one:

gpg --full-generate-key

When prompted:

  • Choose the default (RSA and RSA)
  • Set key size to 4096 bits
  • Set expiration (optional, 1 year is common)
  • Enter your name and email (must match your GitHub account if you’re using GitHub)

After creation, list your keys:

gpg --list-secret-keys --keyid-format=long

Find the GPG key ID (a long string) associated with your email.

How to configure Git to use your GPG key

  1. Tell Git to sign commits automatically:
git config --global commit.gpgsign true
  1. Set your GPG key for Git:
git config --global user.signingkey YOUR_KEY_ID

Replace YOUR_KEY_ID with the one you found earlier.

  1. Ensure Git uses GPG:
git config --global gpg.program gpg

Now, all new commits you create will be signed automatically.

Related: Setting Up a Git Commit Template: A Step-by-Step Guide

How to upload your GPG key to GitHub

If you want the “Verified” badge on GitHub:

  1. Export your public key:
gpg --armor --export YOUR_EMAIL
  1. Copy the entire output.
  2. Go to GitHub > Settings > SSH and GPG keys > New GPG key.
  3. Paste your public key and save.

Now, GitHub can verify your signed commits.

Troubleshooting signing issues

  • GPG agent prompts: Some systems require additional configuration to cache your passphrase.
  • Wrong email address: Your GPG key’s email must match your GitHub email (or be added to your GitHub account).
  • Missing gpg: Make sure GPG is installed (gpg --version). Install it via Homebrew, apt, or your system’s package manager if needed.

Conclusion

Signing Git commits with GPG keys strengthens your project’s security and integrity. It’s a small extra step that signals professionalism and builds trust with collaborators, users, and the wider developer community.

FAQs

Yes. If you don't enable global signing, you can manually sign a commit with `git commit -S`.

Yes. You can configure GitHub Actions workflows to use a GPG key for signed commits or tags.

No, it's optional. But it is increasingly encouraged for open-source and enterprise projects.

Listen to your bugs 🧘, with OpenReplay

See how users use your app and resolve issues fast.
Self-Host Try Cloud Free
Loved by thousands of developers

More articles from OpenReplay Blog

Use this library for easy toast messages

Aug 7, 2023, 9 min read

Simple Toast Notifications with React-Hot-Toast

Use this pair of tools to easily create a sidebar.

Mar 27, 2023, 8 min read

Simple Sidebars with React-Pro-Sidebar and Material UI