Git PGP signed commit using

Git signed commits help verify the Git author’s identity using PGP. Optionally, a user or organization can set rules requiring Git PGP signed commits on Git providers such as GitHub and GitLab

Public PGP IDs can help verify author identity of Git commits, social media, website, etc. A popular free service to share PGP IDs is Below we demonstrate using PGP ID with Git with the client.

Setup GPG on the laptop:

  • Linux: apt install gnupg
  • macOS: brew install gnupg
  • Windows: Kleopatra GPG binary install.

Export public & private key and import into GPG:

keybase pgp export | gpg --import

keybase pgp export --secret | gpg --pinentry-mode=loopback --allow-secret-key --import

If old GnuPG, may need to omit option --pinentry-mode=loopback

The GPG signature is password protected, distinct from the account password.

Verify PGP key:

gpg --list-secret-keys --keyid-format LONG

The first lines will be like:

sec   rsa4096/05F2BD2A525007DF

The hexadecimal part after the / is a public reference to keypair. It’s shown on the public profile, next to the key icon.

Add Git provider such as GitHub or GitLab verified email address to the PGP key. To make commits “Verified” with the Git provider, at least one of the Git provider verified email addresses must match:

git config --get

Use the GPG public ID below:

gpg --edit-key 05F2BD2A525007DF

In the interactive GPG session that launches, type


and enter Name and the Email address–which must exactly match the GitHub verified email address. I also add the fake email that I always use to avoid spam. Do adduid twice–once for the real GitHub verified email address and again for the fake email.

Add “trust” from the GPG> prompt:


Since it’s you, perhaps a trust level of 5 is appropriate. type


to save changes, which may not show up until exiting and reentering the GPG> prompt.

Configure Git to use Keybase public hex ID as seen next to the key logo on your public profile, as in the example below.

git config --global user.signingkey 05F2BD2A525007DF

git config --global commit.gpgsign true

Add the GPG public key to the Git provider. Copy and paste the output from this command into GPG Key of GitHub or GitLab. This is done only once per human, not once per device.

gpg --armor --export 05F2BD2A525007DF


On Windows, additionally do

git config --global gpg.program "$Env:ProgramFiles (x86)\GnuPG\bin\gpg.exe"


On macOS, additionally do

brew install pinentry-mac

and add to ~/.zshrc:

export GPG_TTY=$TTY


GPG can be used to sign Git commits and tags, and can also be disabled per commit.

Verify Git PGP commit sign

Make a git commit after the procedure above, and see the signature notes:

git log --show-signature

it will start with

gpg: Signature made

Temporary disable Git commit sign

If you temporarily lose access to your GPG password, you won’t be able to git commit. A temporary workaround is to set

git config commit.gpgsign false

or simply add the --no-gpg-sign option like:

git commit -am "msg" --no-gpg-sign

Alternatively, if you prefer not signing as default, you can sign only certain commits by

git commit -S

Note that’s a capital “S”.