How to sign commits in Git

Łukasz Holeczek Follow Łukasz Holeczek on GitHub Connect with Łukasz Holeczek on LinkedIn Follow Łukasz Holeczek on X (Twitter)

Wednesday, December 17, 2025

#git #gpg #commit-signing #security

Signing Git commits with GPG keys verifies commit authenticity and proves that commits actually came from you. As the creator of CoreUI with over 25 years of development experience, I’ve implemented commit signing for security-critical enterprise projects. The most effective solution is to generate a GPG key, configure Git to use it, and enable automatic commit signing. This approach provides cryptographic proof of commit authorship with verified badges on hosting platforms.

Generate a GPG key and configure Git to sign commits automatically.

# Generate GPG key
gpg --full-generate-key
# Choose RSA and RSA, 4096 bits, no expiration (or your preference)
# Enter your name and email (must match Git config)

# List GPG keys
gpg --list-secret-keys --keyid-format=long

# Output shows:
# sec   rsa4096/YOUR_KEY_ID 2024-01-01 [SC]
# Copy YOUR_KEY_ID from the output

# Configure Git to use your GPG key
git config --global user.signingkey YOUR_KEY_ID

# Enable automatic commit signing
git config --global commit.gpgsign true

# Export public key to add to GitHub
gpg --armor --export YOUR_KEY_ID

# Make a signed commit
git commit -S -m "Signed commit message"

# Verify commit signatures
git log --show-signature

# For macOS, tell GPG where to prompt for passphrase
echo 'export GPG_TTY=$(tty)' >> ~/.zshrc
source ~/.zshrc

# For Linux/macOS, configure GPG agent
echo 'use-agent' >> ~/.gnupg/gpg.conf

After generating your GPG key, configure Git to use it for signing. The -S flag signs individual commits, but enabling commit.gpgsign signs all commits automatically. Add your public GPG key to GitHub/GitLab in Settings > SSH and GPG keys to show verified badges. Your commits will display a “Verified” badge confirming cryptographic authenticity.

Best Practice Note

This is the same commit signing we require for CoreUI security-critical repositories. Always back up your GPG key securely and use a strong passphrase. If you lose the key, you won’t be able to sign commits with the same identity. For team environments, document the GPG key setup process to ensure consistent commit verification across all contributors.

Speed up your responsive apps and websites with fully-featured, ready-to-use open-source admin panel templates—free to use and built for efficiency.

Angular

Bootstrap

React.js

Vue.js

About the Author

Follow Łukasz Holeczek on GitHub Connect with Łukasz Holeczek on LinkedIn Follow Łukasz Holeczek on X (Twitter)

Łukasz Holeczek, Founder of CoreUI, is a seasoned Fullstack Developer and entrepreneur with over 25 years of experience. As the lead developer for all JavaScript, React.js, and Vue.js products at CoreUI, they specialize in creating open-source solutions that empower developers to build better and more accessible user interfaces.

With expertise in TypeScript, JavaScript, Node.js, and modern frameworks like React.js, Vue.js, and Next.js, Łukasz combines technical mastery with a passion for UI/UX design and accessibility. CoreUI’s mission is to provide developers with tools that enhance productivity while adhering to accessibility standards.

Łukasz shares its extensive knowledge through a blog with technical software development articles. It also advises enterprise companies on building solutions from A to Z. Through CoreUI, it offers professional services, technical support, and open-core products that help developers and businesses achieve their goals.

Learn more about CoreUI’s solutions and see how your business can benefit from working with us.