Signing Git Commits

Signing commits is an important step to creating immutable proof of authorship within git. Doing so can improve your audit trail, mitigate risks associated to account takeovers, and protect against insider threats. Please see our blog post on Seal Your Code through Git Commit Signing for more detailed information.

Quick Start

A quick start to getting started to signing your commits.


Be sure to install GPG Suite before starting.

# Pick your key properties and make sure you set the email the same as your git config `git config --get`
gpg --full-generate-key
# grab key id after forward slash `rsa3072/C000AA111111B222`
gpg --list-secret-keys --keyid-format=long
# Insert it replacing the example keyid here
gpg --armor --export C000AA111111B222
# Add your public key to github in settings -> SSH and GPG Keys
git config --global user.signingkey C000AA111111B222
# Sign your first commit
git commit -S -m "first signed commit"
# verify your key and set all future commits to be signed
git config commit.gpgsign true


For further reading and sources.