Verify your commits !

Using GPG keys to add a signature to your GitHub commits



October 3, 2022


It’s not a long time ago that I have started to use Git. I am constantly discovering new things. All this time I was reading articles, posts on Stackoverflow etc. One day I saw a Verified badge on someones’ repository commit history.

Then the first questions arised.

“What is that ?”
“Why I don’t have it ?”
“Do I need that ?”

SSH vs GitHub for commit

In reality, when you have make a commit via your GitHub account your commit is indeed marked as verified but the majority of the users is working locally, thus they have set SSH. Those are in need to set up GPG in order to sign their commits and push their changes.

What if I do not verify

Create PGP key

GitHub has a wonderful explanation , so I won’t bother you to say the same things. You can see their guide here

For brevity, I will make a TL;DR version :

gpg --full-generate-key
# Accept defaults
# Give no-reply email
# Passphrase

#print GPG Key ID
gpg --list-secret-keys --keyid-format=long
# the alphanumeric after / is ID

# print GPG key
gpg --armor --export GPG_key_ID

Signing your commits

After that you can continue your usual workflow with Git with just a little change. Now you have to sign your commits. To do that you have to set the option -S as follows :

git commit -S -m "Edit something"

Then, you will be prompted to a new window in order to complete the password of your GPG key. And here it is, my first verified commit :

Verified Commit on GitHub

Let’s take a closer look :

Verified Commit on GitHub

But there is more. On GitHub settings (Settings > SSH and GPG keys) there is also the option to warn others if a commit is not signed. If I enable it :

Settings for unsigned commits

then it marks all my unsigned commits (before and after the change) as unverified, as a warning to others. I guess it’s good if someones’ intention is to use only signed commits.

Settings for unsigned commits

To sum up

In GitHub, Commit = Sign + Commit

- bash git commit -m "..." = Commit
- bash git commit -S -m "..." = Sign + Commit


  1. Github Documentation Page for GPG keys
  2. Adding a GPG key to your GitHub account