Stage 2 · Tools
Hooks & Automation
Commit Signing & Security
GPG, SSH signing, vigilant mode, and supply-chain security for commits.
Why Sign Commits?
A signed commit proves who wrote it. Without signing, anyone can create commits with any name and email. Signing adds a cryptographic signature that verifies the commit came from you.
- Prevents impersonation: no one can forge commits under your name
- Supply-chain security: reviewers can verify author identity
- Compliance: many organizations require signed commits
- GitHub verification: signed commits show a green 'Verified' badge
Most major open-source projects and all major tech companies require signed commits. Adopt this habit early.
GPG Signing
GPG (GNU Privacy Guard) is the traditional way to sign commits. You generate a key pair, add the public key to GitHub, and sign every commit.
gpg --full-generate-key
# Select: RSA (4096 bits), no expiration, your name/email
gpg --list-secret-keys --keyid-format=long
# sec rsa4096/3AA5C34371567BD2 2024-01-15 [SC]
# Key ID: 3AA5C34371567BD2The Key ID after the slash is what you will use to configure Git.
git config --global user.signingkey 3AA5C34371567BD2
git config --global commit.gpgsign true
git config --global gpg.program gpg2
# Test it
git commit --allow-empty -m "test: signed commit"
git log --show-signature -1Once configured, every commit is automatically signed.
gpg --armor --export 3AA5C34371567BD2
# Copy the output and add it at github.com/settings/keysGitHub uses your public key to verify your signatures.
SSH Signing
Git 2.34+ supports SSH signing, which is simpler than GPG if you already use SSH keys for authentication.
git config --global gpg.format ssh
# Use your existing SSH key
git config --global user.signingkey ~/.ssh/id_ed25519.pub
# Or generate a dedicated signing key
ssh-keygen -t ed25519 -C "commit-signing" -f ~/.ssh/id_ed25519_signSSH signing is simpler — no keyserver, no GPG agent, just your SSH key.
# Copy the public key
cat ~/.ssh/id_ed25519_sign.pub
# Add at github.com/settings/keys
# Use 'Signing Key' type, not 'Authentication Key'GitHub needs the key in 'Signing Key' mode to verify SSH-signed commits.
| Feature | GPG | SSH |
|---|---|---|
| Setup complexity | Higher (key generation, keyserver) | Lower (reuse existing SSH keys) |
| Supported since | Git 1.0 | Git 2.34 |
| Agent required | gpg-agent | ssh-agent |
| Key storage | GPG keyring | SSH key files |
Vigilant Mode
GitHub's vigilant mode highlights unsigned commits, making it easy to spot unverified authorship.
# Without vigilant mode:
commit by Alice (verified)
# With vigilant mode:
commit by Alice (verified)
commit by Bob (unverified) ← highlighted!
commit by Alice (verified)Enable vigilant mode in GitHub Settings → Navigation → Signature verification on commits.
Run git log --show-signature --oneline to check which commits in your history are signed. Unsigned commits in a protected branch indicate a process gap.
Commit signing is a small habit with large security implications. It becomes automatic after a few days of use.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.