I recently learned that you can simply sign your Git commits with your SSH key. With that there is no need for a (rather complex) PGP/GPG setup! Instead, just re-use the SSH key you are probably already using to interact with your git remote.

This is already supported by GitHub 1 and GitLab 2, and you will see a green check mark or verified next to your commit message.

Signed Commit in GitHub

You only need the following in your .gitconfig (I named the example file .gitconfig-sign, but you can just add it to your regular .gitconfig). Ensure that you reference the ssh key you want to use for signing and that’s it.

Git configuration

If you want to explicitly sign a commit, you can use the -S flag while committing a change. But as shown above, you can simply enable it for all commits with setting gpgsign = true.

git commit -S -m "I'm signed"

Now might be a good time to add a password to your ssh key. If you already got a key you can easily add a passphrase with the following command:

ssh-keygen -p -f ~/.ssh/id_ed25519

In the case you got multiple keys just use the -f flag to target the private key you want to add a passphrase to.

If you don’t want to type your passphrase for every commit, just add this setting to your ~/.ssh/config to ensure the key will be picked up by your key agent. And if your ssh agent is not working, head over to this post and enable it.

AddKeysToAgent yes

Sources

  1. https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits ↩︎

  2. https://docs.gitlab.com/ee/user/project/repository/signed_commits/ssh.html ↩︎