Git Commit Signing
This guide explains how to configure Git to cryptographically sign your commits using SSH keys.
Signed commits provide:
- Authenticity - Proof that commits came from you
- Integrity - Detection of any tampering with commit content
- Trust - Visual verification in GitHub (green "Verified" badge)
Prerequisites
- Git 2.34 or later
- An SSH key pair (see SSH Key Setup if needed)
Step 1: Configure Git for SSH Signing
- Windows
- macOS
- Linux
# Tell Git to use SSH for signing
git config --global gpg.format ssh
# Set your SSH signing key (use your public key path)
git config --global user.signingkey "$env:USERPROFILE\.ssh\id_ed25519.pub"
# Enable signing for all commits
git config --global commit.gpgsign true
# Tell Git to use SSH for signing
git config --global gpg.format ssh
# Set your SSH signing key (use your public key path)
git config --global user.signingkey ~/.ssh/id_ed25519.pub
# Enable signing for all commits
git config --global commit.gpgsign true
# Tell Git to use SSH for signing
git config --global gpg.format ssh
# Set your SSH signing key (use your public key path)
git config --global user.signingkey ~/.ssh/id_ed25519.pub
# Enable signing for all commits
git config --global commit.gpgsign true
Step 2: Create Allowed Signers File
The allowed signers file tells Git which SSH keys to trust for verification.
- Windows
- macOS
- Linux
# Create the allowed signers directory
New-Item -ItemType Directory -Force -Path "$env:USERPROFILE\.config\git"
# Add your email and public key
$email = git config --get user.email
$pubkey = Get-Content "$env:USERPROFILE\.ssh\id_ed25519.pub"
"$email $pubkey" | Out-File -FilePath "$env:USERPROFILE\.config\git\allowed_signers" -Encoding utf8
# Tell Git where to find it
git config --global gpg.ssh.allowedSignersFile "$env:USERPROFILE\.config\git\allowed_signers"
# Create the allowed signers directory
mkdir -p ~/.config/git
# Add your email and public key
echo "$(git config --get user.email) $(cat ~/.ssh/id_ed25519.pub)" > ~/.config/git/allowed_signers
# Tell Git where to find it
git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers
# Create the allowed signers directory
mkdir -p ~/.config/git
# Add your email and public key
echo "$(git config --get user.email) $(cat ~/.ssh/id_ed25519.pub)" > ~/.config/git/allowed_signers
# Tell Git where to find it
git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers
Step 3: Add Key to GitHub
Your SSH key must be registered as a signing key (not just authentication):
Verify It's Working
- Windows
- macOS
- Linux
# Create a test commit
"test" | Out-File test.txt
git add test.txt
git commit -m "Test signed commit"
# Verify the signature
git log --show-signature -1
# Create a test commit
echo "test" > test.txt && git add test.txt
git commit -m "Test signed commit"
# Verify the signature
git log --show-signature -1
# Create a test commit
echo "test" > test.txt && git add test.txt
git commit -m "Test signed commit"
# Verify the signature
git log --show-signature -1
Expected output:
Good "git" signature for your.email@example.com with ED25519 key SHA256:...
Troubleshooting
"error: gpg.ssh.allowedSignersFile needs to be configured"
The allowed signers file is missing or not configured. Re-run the Step 2 commands above for your operating system.
Commits Show "Unverified" on GitHub
- Ensure your signing key is added to your account (as a signing key, not just authentication)
- Ensure the email in your commits matches the email associated with your key
- Check that your key hasn't expired
Related
- SSH Key Setup - Generate and configure SSH keys
- GitHub Setup - GitHub-specific configuration