Git PGP signed commit using Keybase.io
Git signed commits help verify the Git author’s identity using PGP. Optionally, a user or organization can set rules requiring Git PGP signed commits on Git providers such as GitHub and GitLab
Public PGP IDs can help verify author identity of Git commits, social media, website, etc. A popular free service to share PGP IDs is Keybase.io. Below we demonstrate using Keybase.io PGP ID with Git with the keybase.io client.
Setup GPG on the laptop:
apt install gnupg
brew install gnupg
- Windows: Kleopatra GPG binary install.
Export Keybase.io public & private key and import into GPG:
keybase pgp export | gpg --import keybase pgp export --secret | gpg --pinentry-mode=loopback --allow-secret-key --import
If old GnuPG, may need to omit option
The GPG signature is password protected, distinct from the Keybase.io account password.
Verify PGP key:
gpg --list-secret-keys --keyid-format LONG
The first lines will be like:
The hexadecimal part after the
/ is a public reference to keybase.io keypair.
It’s shown on the keybase.io public profile, next to the key icon.
Add Git provider such as GitHub or GitLab verified email address to the PGP key. To make commits “Verified” with the Git provider, at least one of the Git provider verified email addresses must match:
git config --get user.email
Use the GPG public ID below:
gpg --edit-key 05F2BD2A525007DF
In the interactive GPG session that launches, type
and enter Name and the Email address–which must exactly match the GitHub verified email address.
I also add the
@users.noreply.github.com fake email that I always use to avoid spam.
adduid twice–once for the real
GitHub verified email address
and again for the
firstname.lastname@example.org fake email.
Add “trust” from the
Since it’s you, perhaps a trust level of
5 is appropriate.
to save changes, which may not show up until exiting and reentering the
Configure Git to use Keybase public hex ID as seen next to the key logo on your public Keybase.io profile, as in the example below.
git config --global user.signingkey 05F2BD2A525007DF git config --global commit.gpgsign true
On Windows, additionally do
git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"
Add the GPG public key to the Git provider. Copy and paste the output from this command into GPG Key of GitHub or GitLab. This is done only once per human, not once per device.
gpg --armor --export 05F2BD2A525007DF
Verify Git PGP commit sign
git commit after the procedure above, and see the signature notes:
git log --show-signature
it will start with
gpg: Signature made
Temporary disable Git commit sign
If you temporarily lose access to your GPG password, you won’t be able to
A temporary workaround is to set
git config commit.gpgsign false
or simply add the
--no-gpg-sign option like:
git commit -am "msg" --no-gpg-sign
Alternatively, if you prefer not signing as default, you can sign only certain commits by
git commit -S
Note that’s a capital “S”.