Signing with a GPG key in a Git workflow

If you’re working on a project and you want to doubly make sure of your code integrity, it’s good idea to sign your work to make sure what you add to the code base is only from you and from no one else. This is particularly important in building a secure application, or if you’re a coder in a team setting.

If you have some authority over the development workflow, it may also be a good idea to adopt the team practice of signing commits even before you do a git init on a project. There are plenty of references on configuring your GPG keys, so that’s not covered here.

Get your GPG configured, and a personal key installed. Configure Git to use your personal key.

$ git config --global user.signingkey 0A46826A

Signing tags:

$ git tag -s v2.17 -m <span class="s1">'version 2.17 signed by MH'</span>
$ git show v2.17

With the signer’s public key in the keyring, you can verify the tag:

$ git tag -v v2.17

Signing commits

You can sign commits simply by adding -S once your environment is configured.

$ git commit -S -m <span class="s1">'push a signed commit'</span>

You can check and verify via git log:

$ git log --show-signature -1

You can configure git log to check any signatures and list them in output via %G? format.

$ git log --pretty<span class="o">=</span><span class="s2">"format:%h %G? %aN  %s"</span>

You can also reject commits that are unsigned and invalid:

$ git merge --verify-signature non-verify
$ git merge --verify-signatures signed-branch

Sign the merge commit itself:

$ git merge --verify-signatures -S signed-branch