🔏 How to Sign Git Commits with GPG

Signing your Git commits with a GPG key is a great way to prove that your commits come from you. GitHub (and other platforms) mark these signed commits as "Verified", which can boost trust and professionalism in open source or team environments.

This quickly guide will cover:

1. How to install GPG
2. How to create GPG key (public and private)
3. How to configure git to sign commits
4. How to configure your GPG key to your git GitHub

🧰 1. Installing GPG

You'll need GnuPG installed on your machine. Here's how to install it:

For macOS (with Homebrew):

brew install gnupg

For Ubuntu/Debian:

sudo apt update
sudo apt install gnupg

For Windows:

• Download and install Gpg4win: https://gpg4win.org/

After installation, verify with:

gpg --version

🔐 2. Generate a New GPG Key

Run this command to create your gpg key:

gpg --full-generate-key

The command will prompt some options. Chose what best fit your needs. For this tutorial, we will select the most common options. Select:

• Key type: (1) RSA and RSA

• Key size: 4096 bits

• Expiration: Optional (e.g., 1y)

• Name and email: Use the email you use for your Git commits

• Passphrase: Choose a secure one

Done! you now have a gpg key. To list all your keys after generation:

gpg --list-secret-keys --keyid-format=long

⚙️ 3. Configure Git to Sign Commits

Now, tell Git to sign your commits with that GPG key:

# for global configuration
git config --global user.signingkey <your_key_email> # use same identifier used on creation step
git config --global commit.gpgsign true

Want to sign only some commits manually? Leave off the commit.gpgsign true line and use git commit -S when you want to sign.

You can also combine this setup with multiple accounts, so that each account has its own signature. Check out my other tutorial where I explain how to set up multiple GitHub accounts.

Also, make sure Git uses GPG:

git config --global gpg.program gpg

☁️ 4. Add Your GPG Public Key to GitHub

First, export your public key:

gpg --armor --export you@example.com

Copy the entire output (starts with -----BEGIN PGP PUBLIC KEY BLOCK-----).

Then:

1. Go to your GitHub SSH & GPG settings

2. Click "New GPG key"

3. Paste your key

4. Save

GitHub will now show "Verified" on commits signed with this GPG key.

🎁 Bonus: Stop GPG from Asking for Your Passphrase Every Time

By default, GPG might prompt you for your passphrase every time you sign a commit — which can get annoying fast. You can fix this by configuring GPG to cache your passphrase for a period of time using the GPG agent.

🛠️ Step 1: Edit or Create gpg-agent.conf

Create or open this file:

~/.gnupg/gpg-agent.conf

Add the following lines:

default-cache-ttl 3600
max-cache-ttl 7200

• default-cache-ttl: Time (in seconds) the passphrase is cached after first use (3600 = 1 hour)
• max-cache-ttl: Maximum time the passphrase can be cached (7200 = 2 hours)

Feel free to increase these numbers if you want to cache it for longer.

🔄 Step 2: Reload GPG Agent

After saving the file, reload the agent to apply the changes:

gpgconf --kill gpg-agent
gpgconf --launch gpg-agent

✅ Done!

Now GPG will remember your passphrase for up to two hours (or the interval that you choose) after you enter it once. This makes your commit signing process much smoother, without compromising security too much.