Signing Git commits

Signing commits is useful because GitHub can show whether a commit is Verified. That helps reviewers confirm that a commit was created by someone who controls the signing key, and makes it harder to impersonate another developer.

Because the exact setup differs between macOS, Windows, Linux, and different GPG installations, the best approach is to follow GitHub's official documentation for each step.

Recommended flow

1. Read why commit signature verification matters:
   About commit signature verification
2. Generate a new GPG key:
   Generating a new GPG key
3. Add the public key to your GitHub account:
   Adding a GPG key to your GitHub account
4. Configure Git to use the signing key:
   Telling Git about your signing key

Notes

• Use a commit email address that is verified in GitHub.
• Make sure the email used by Git matches the identity on your signing key.
• After setup, push a signed commit and confirm GitHub shows it as Verified.

Verify status and enable vigilant mode

GitHub can display verification status for all of your commits and tags if you enable vigilant mode.

With vigilant mode enabled, GitHub marks your commits as:

• Verified
• Partially verified
• Unverified

You should only enable vigilant mode if you sign all of your commits and tags, and use a verified GitHub email address as your committer email.

To enable it in GitHub:

1. Open Settings.
2. Go to SSH and GPG keys.
3. Under Vigilant mode, enable Flag unsigned commits as unverified.

Reference:

• Displaying verification statuses for all of your commits

References

• About commit signature verification
• Generating a new GPG key
• Adding a GPG key to your GitHub account
• Telling Git about your signing key
• Displaying verification statuses for all of your commits