How to Sign Git Commits with GPG
GitHub

How to Sign Git Commits with GPG

In this quickly guide we'll cover:

  1. How to install GPG
  2. How to create GPG key (public and private)
  3. How to configure git to sign commits
  4. How to configure your GPG key to your git GitHub

1. Installing GPG

You'll need GnuPG installed on your machine. Here's how to install it:

For macOS (with Homebrew):

brew install gnupg

For Ubuntu/Debian:

sudo apt update
sudo apt install gnupg

For Windows:

After installation, verify with:

gpg --version

2. Generate a New GPG Key

Run this command to create your gpg key:

gpg --full-generate-key

The command will prompt some options. Chose what best fit your needs. For this tutorial, we will select the most common options. Select:

  • Key type: (1) RSA and RSA

  • Key size: 4096 bits

  • Expiration: Optional (e.g., 1y)

  • Name and email: Use the email you use for your Git commits

  • Passphrase: Choose a secure one

Done! you now have a gpg key. To list all your keys after generation:

gpg --list-secret-keys --keyid-format=long

3. Configure Git to Sign Commits

Now, tell Git to sign your commits with that GPG key:

# for global configuration
git config --global user.signingkey <your_key_email> # use same identifier used on creation step
git config --global commit.gpgsign true

Want to sign only some commits manually? Leave off the commit.gpgsign true line and use git commit -S when you want to sign.

You can also combine this setup with multiple accounts, so that each account has its own signature. Check out my other tutorial where I explain how to set up multiple GitHub accounts.

Also, make sure Git uses GPG:

git config --global gpg.program gpg

4. Add Your GPG Public Key to GitHub

First, export your public key:

gpg --armor --export you@example.com

Copy the entire output (starts with -----BEGIN PGP PUBLIC KEY BLOCK-----).

Then:

  1. Go to your GitHub SSH & GPG settings

  2. Click "New GPG key"

  3. Paste your key

  4. Save

GitHub will now show "Verified" on commits signed with this GPG key.

Bonus: Stop GPG from Asking for Your Passphrase Every Time

By default, GPG might prompt you for your passphrase every time you sign a commit — which can get annoying fast. You can fix this by configuring GPG to cache your passphrase for a period of time using the GPG agent.

Step 1: Edit or Create gpg-agent.conf

Create or open this file:

~/.gnupg/gpg-agent.conf

Add the following lines:

default-cache-ttl 3600
max-cache-ttl 7200
  • default-cache-ttl: Time (in seconds) the passphrase is cached after first use (3600 = 1 hour)
  • max-cache-ttl: Maximum time the passphrase can be cached (7200 = 2 hours)

Feel free to increase these numbers if you want to cache it for longer.

Step 2: Reload GPG Agent

After saving the file, reload the agent to apply the changes:

gpgconf --kill gpg-agent
gpgconf --launch gpg-agent

Done!