GPG-Signed Commits and Tags

Git allows you to sign your commits and tags using GPG (GNU Privacy Guard) to verify authorship and ensure content hasn't been tampered with. Signed commits/tags provide additional trust, especially in collaborative or open-source projects.

1. Why Sign Commits and Tags?

• Verifies the identity of the committer.
• Ensures content integrity—confirms that the commit/tag hasn’t been modified.
• Prevents impersonation in open-source and team-based workflows.
• GitHub and GitLab mark signed commits as "Verified".

2. Setting Up GPG

a. Generate a GPG Key

If you don't already have a GPG key, generate one:

gpg --full-generate-key

Choose RSA and 4096-bit key size when prompted.

b. List Your GPG Keys

gpg --list-secret-keys --keyid-format=long

Copy the long key ID from the output.

c. Add Your GPG Key to Git

git config --global user.signingkey <YOUR_KEY_ID>

d. Add the Public Key to GitHub

Export your public key:

gpg --armor --export <YOUR_KEY_ID>

Paste it into GitHub at: Settings > SSH and GPG keys > New GPG key

3. Signing Commits and Tags

a. Sign a Commit

git commit -S -m "Signed commit message"

b. Sign All Commits by Default

git config --global commit.gpgsign true

c. Sign a Tag

git tag -s v1.0.0 -m "Release version 1.0.0"

Use -s for a GPG-signed tag (not -a).

4. Verifying Signatures

a. Verify a Signed Commit

git log --show-signature

b. Verify a Signed Tag

git tag -v v1.0.0

Git will show who signed the tag and whether the signature is valid and trusted.

5. Summary