GPG (GNU Privacy Guard) is a tool that enables secure communication and data storage through encryption. When applied to Git, GPG allows developers to sign their commits and tags cryptographically, providing verifiable proof that the changes came from a trusted source. This chapter explains how to sign Git commands using GPG from setup to best practices.
GPG needs to be installed on your system to sign Git commands. Installation varies by OS:
sudo apt install gpg
brew install gnupg
Windows: Download and install from GPG4Win.
Once installed, you’ll need a GPG key pair (public and private key) to sign your commits.
gpg --full-generate-key
gpg --list-secret-keys --keyid-format LONG
To enable Git to sign commands with your GPG key:
3AA5C34371567BD2
).
git config --global user.signingkey
To ensure GitHub recognizes your signed commits:
gpg --armor --export
Paste it into GitHub under Settings > SSH and GPG key
Creating a Signed Commit To sign a commit, use the -S
flag when running git commit
:
git commit -S -m "Your commit message"
To verify if a commit is signed and check its validity:
git log --show-signature
To verify if a commit is signed and check its validity:
git log --show-signature
commit abcd1234 (HEAD -> main)
gpg: Signature made ...
gpg: Good signature from "Your Name "
Tags mark specific points in Git history and are often used for version releases. Signing tags with GPG ensures they’re from a trusted source.
To create a signed tag, use the -s
option:
git tag -s v1.0 -m "Tagging version 1.0"
-s
flag tells Git to sign the tag with the GPG key, and -m
provides a message.To verify a signed tag’s authenticity, use:
git tag -v v1.0
This command verifies the tag’s signature and outputs the associated GPG information.
To ensure all commits and tags are signed automatically, configure Git globally with these commands:
git config --global commit.gpgSign true
git config --global tag.gpgSign true
While GPG is commonly used, you can configure Git to sign with SSH keys, which may be more convenient if SSH is already in use for repository access.
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_rsa.pub
Set up Git aliases to simplify signing commands. This is helpful if you frequently switch between signed and unsigned commits.
git config --global alias.scommit 'commit -S'
git config --global alias.stag 'tag -s'
Now, git scommit
signs commits and git stag
signs tags.
Error: GPG Failed to Sign the Data
git config user.signingkey <key-id>
).export GPG_TTY=$(tty)
to refresh the connection.Error: No Secret Key
gpg --list-secret-keys --keyid-format LONG
.To avoid entering the passphrase every time, you can cache it:
gpg-agent
as a background process, or adjust settings in .gnupg/gpg-agent.conf
:
default-cache-ttl 600
max-cache-ttl 7200
Using GPG to sign Git commands provides a robust way to verify the authenticity and integrity of commits and tags in any Git repository. This process builds trust among contributors, ensures a secure and traceable commit history, and protects against unauthorized changes. Happy coding !❤️