Commit Signing

Last updated: May 2025

What is Commit Signing?

In Git, you may commit using any name and email address. However, Git supports signing commits and annotated tags using a GPG or SSH key pair.

By signing a commit, others with your public key can verify that the commit was created by you. Public keys can also be uploaded to remote hosting services like GitHub so commits appear as verified.

Commit Signing with GPG

Requirements

Before signing commits, install and configure GPG.

• Windows: Use Gpg4win and follow the installer.
• Mac: Use Homebrew:

  brew install gpg

• Linux: Use your package manager:
  • Debian/Ubuntu: apt install gnupg
  • Fedora: dnf install gnupg2
  • CentOS/RHEL: yum install gnupg2

More downloads at gnupg.org.

To verify installation:

gpg --version

Generate a GPG Key in GitKraken

Once GPG is installed:

1. Go to Preferences > Commit Signing.
2. Click Generate new GPG Key.
3. (Optional) Enter a passphrase before generating.

Configure GPG in GitKraken

1. Navigate to Preferences > Commit Signing.
2. Set the Signing Key from the dropdown list. If it’s empty:
   • Configure the GPG Program path.
   • Restart GitKraken after installing GPG.
3. Specify the GPG Program location or use the Browse button if not auto-detected.

   which gpg # macOS/Linux
   where gpg # Windows

   

4. Enable Sign Commits by Default and/or Sign Tags by Default as needed.

Verifying Signed Commits

Signed commits show an icon next to the SHA in the Commit Panel.

Hover to view signature details:

Common GPG signature codes:

• GOODSIG: Valid signature.
• EXPSIG: Signature is expired.
• EXPKEYSIG: Signed with expired key.
• REVKEYSIG: Signed with revoked key.
• BADSIG: Signature not verified.
• ERRSIG: Unable to check signature (missing key or unsupported algorithm).

Uploading GPG Key to Hosting Service

To display signed commits as verified:

• GitHub GPG setup
• GitLab GPG setup
• Bitbucket GPG setup

In GitKraken: Preferences > GPG → Copy GPG Public Key.

Editing a GPG Key

To add emails or renew a key:

1. List keys:

   gpg --list-secret-keys --keyid-format LONG

   

2. Edit:

   gpg --edit-key YOUR_KEY_ID

3. Use commands:
   • adduid: Add email
   • deluid: Remove email
   • trust: Update trust level
   • expire: Change expiration
   • save: Save and exit

GNU’s full GPG key guide

After editing, re-upload the key to your host. See Uploading Your GPG Key to a Remote Hosting Service.

Deleting a GPG Key

To delete:

gpg --delete-secret-keys

Append your key ID or name.

Commit Signing with SSH

SSH signing is available through Git Executable.

Requirements

• macOS/Linux: Git and OpenSSH are usually preinstalled.

  git -v
  ssh -V

• Windows: Install Git Bash.

Steps to Enable SSH Signing

1. Create SSH key:

   ssh-keygen -t ed25519 -C "[email protected]"

   

2. Enable Git Executable:
   Go to Preferences > Experimental > Git Executable.

   

3. Set GPG Format to SSH:
   Preferences > Commit Signing > GPG Format → select SSH.

4. Select signing key:
   On Signing Key, browse to the .pub key.

5. Create allowed_signers file:

   touch ~/.ssh/allowed_signers
   echo "$(git config --get user.email) namespaces="git" $(cat ~/.ssh/YOUR_KEY.pub)" >> ~/.ssh/allowed_signers

   Select this file in GitKraken.

6. Enable Signing by Default:
   Preferences > Commit Signing → enable Sign Commits and/or Sign Tags.

7. Add SSH Key to Host:

   • GitHub SSH setup
   • GitLab SSH setup
   • ⚠️ Bitbucket does not support SSH-signed commit verification.