post · November 16, 2025 · 4 min read
Configure Git to Sign All Your Commits with GPG (Step‑by‑Step)
By Saleh Elnagar
Configure Git to Sign All Your Commits with GPG (Step‑by‑Step)
Signing your commits proves they came from you and haven’t been altered. Many teams now require signed commits to protect their supply chain. In this guide you’ll generate a GPG key, configure Git to sign every commit and tag, upload your public key to GitHub/GitLab/Bitbucket and fix common errors.
TL;DR (copy–paste quick start)
# 1) Install GPG
# macOS
brew install gnupg pinentry-mac
# Ubuntu/Debian
sudo apt update && sudo apt install -y gnupg pinentry-curses
# Fedora
sudo dnf install -y gnupg2 pinentry
# Windows: install Gpg4win from https://www.gpg4win.org/
# 2) Create a signing key (Ed25519, signing-only, 1-year expiry)
gpg --quick-generate-key "Your Name <you@example.com>" ed25519 sign 1y
# 3) Find your key’s fingerprint
gpg --list-secret-keys --keyid-format=long
# copy the 40-hex-character fingerprint (not just the short ID)
# 4) Tell Git to always sign
git config --global user.name "Your Name"
git config --global user.email "you@example.com"
git config --global user.signingKey <YOUR_FINGERPRINT>
git config --global commit.gpgsign true
git config --global tag.gpgSign true
git config --global gpg.program gpg
# 5) Export your public key and add it to your Git host (GitHub/GitLab/etc.)
gpg --armor --export <YOUR_FINGERPRINT> > public-gpg-key.asc
# Upload the contents of public-gpg-key.asc to your Git hosting account.
# 6) Test
echo "test" > signed.txt && git add signed.txt && git commit -m "feat: signed commit"
git log --show-signature -1Why Sign Commits?
- Authenticity – Proves the author is really you.
- Integrity – Detects tampering after a commit is made.
- Compliance – Many organizations require “Verified” commits for critical repositories.
Prerequisites
- Git 2.0 or newer.
- GnuPG 2.x (
gpgorgpg2). - A terminal (or PowerShell) and access to your Git hosting account.
1) Install GPG
Install GPG using your platform’s package manager. Here are commands for common platforms:
macOS
Use Homebrew to install GnuPG and the pinentry helper, then enable the GUI pinentry:
brew install gnupg pinentry-mac
# enable the macOS pinentry UI
mkdir -p ~/.gnupg
echo "pinentry-program /opt/homebrew/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
killall gpg-agent 2>/dev/null || true
Linux (Debian/Ubuntu)
Install GnuPG and a curses-based pinentry program, then set your TTY for passphrase prompts:
sudo apt update && sudo apt install -y gnupg pinentry-curses
# optional: ensure terminal pinentry works
echo 'export GPG_TTY=$(tty)' >> ~/.bashrc
export GPG_TTY=$(tty)
Linux (Fedora)
Install GnuPG 2 and pinentry using dnf:
sudo dnf install -y gnupg2 pinentry
Windows
Install Gpg4win (includes Kleopatra). After installation, ensure Git uses the correct gpg.exe by configuring:
git config --global gpg.program "C:\\Program Files\\GnuPG\\bin\\gpg.exe"
Tip (WSL): Prefer installing GPG inside WSL using sudo apt install gnupg pinentry-curses and set export GPG_TTY=$(tty) so pinentry can prompt correctly.
2) Create Your GPG Signing Key
Generate a signing‑only Ed25519 key that expires after one year. This modern command requires GnuPG 2.1 or newer and avoids the interactive prompts:
gpg --quick-generate-key "Your Name <you@example.com>" ed25519 sign 1y
If you prefer the interactive wizard, you can generate a signing key by running the full key generator and answering the prompts. Select ECC with curve Ed25519, use the same name and email as your Git identity, and choose a strong passphrase.
gpg --full-generate-key
# Choose: (9) ECC and ECC, then curve: ed25519
# Use your name and email and set a strong passphraseAfter generating your key, list your secret keys and copy the full 40‑character fingerprint (not just the short key ID) for use in Git configuration.
gpg --list-secret-keys --keyid-format=long
# copy the 40-character fingerprint3) Configure Git to Always Sign
Run the following commands to set your name and email, tell Git which key to use, and sign commits and tags by default.
git config --global user.name "Your Name"
git config --global user.email "you@example.com"
git config --global user.signingKey <YOUR_FINGERPRINT>
git config --global commit.gpgsign true
git config --global tag.gpgSign true
git config --global gpg.program gpg4) Publish Your Public Key to Your Git Host
Export your public key in ASCII‑armored format and add it to your Git hosting account (GitHub, GitLab, Bitbucket, etc.).
gpg --armor --export <YOUR_FINGERPRINT> > public-gpg-key.ascUpload the contents of the generated public-gpg-key.asc file to your Git hosting service’s GPG key settings page.
5) Test Locally
Create a test file, make a signed commit, and confirm that Git prompts for your GPG passphrase. This proves everything is wired up correctly.
echo "signed" > demo.txt
git add demo.txt
git commit -m "chore: demo signed commit"Verify the signature of the last commit using the following commands.
git log --show-signature -1
# or
git verify-commit HEAD6) Sign Tags
Tags are often used for releases, so you should sign them as well to provide provenance.
git tag -s v1.0.0 -m "v1.0.0"
git push --tags
git tag -v v1.0.07) Use It in Your IDE
- VS Code: In Settings, search for “sign commit” and enable “Git: Enable Commit Signing”; set Git: GPG Path to your gpg executable (e.g., gpg or C:\Program Files\GnuPG\bin\gpg.exe).
- JetBrains IDEs (IntelliJ, WebStorm, etc.): Under Preferences → Version Control → Git, enable “Sign commits with GPG key” and select your key.
- Git GUIs: If a graphical client fails to prompt for your passphrase, ensure a working pinentry program is installed and configured (see troubleshooting).
8) Key Maintenance & Rotation
Quick AI Summary
Configure Git to Sign All Your Commits with GPG (Step‑by‑Step) Signing your commits proves they came from you and haven’t been altered. Many teams now require signed commits to protect their supply chain.
Original article body above remains unchanged.
Continue Reading
Related Posts
Signing your commits proves they came from you and haven’t been altered. Many organizations require signed commits to protect their supply chain. This step-by-step guide walks you through generating a GPG signing key, configuring Git to sign every commit and tag, uploading your public key to popular Git hosting services (GitHub, GitLab, Bitbucket), and troubleshooting […]
Repository: https://github.com/SalehElnagar/azure-terraform-conventions This article walks through how to think about Azure naming conventions and how to turn those decisions into code using the azure-terraform-conventions GitHub repository. That repo contains: The goal is not “just use whatever the repo does”. The goal is: capture your organization’s naming decisions once, codify them with this library, and then […]
Introduction to Git
freshGit is a distributed version control system that allows developers to track changes in source code while collaborating with others. It records every change made to a project, enabling you to explore previous versions and revert when necessary. Getting started with Git involves a few basic commands: These commands form the foundation for using Git […]
Get New Playbooks Weekly
Join the newsletter for practical Azure, Terraform, and DevSecOps guides. One actionable email per week.
Comments
Enable comments by setting NEXT_PUBLIC_GISCUS_* environment variables.