Signing Git Commits with GPG and SSH: A Complete Guide
When collaborating on a Git project, ensuring the authenticity of commits is crucial for security and accountability. Git provides two primary methods for signing commits: GPG (GNU Privacy Guard) and SSH (Secure Shell). Both methods allow you to verify that commits are indeed from the person who claims to have made them.
In this guide, we’ll walk you through the process of signing Git commits using both GPG and SSH, with instructions for Windows, macOS, and Linux. We’ll also cover the pros and cons of each approach to help you choose the best one for your needs.
🧾 What Is Commit Signing?
Commit signing in Git is the process of associating your commits with a cryptographic signature, ensuring that the commit is authentic and has not been tampered with. There are two types of signatures commonly used:
- GPG (GNU Privacy Guard): Uses asymmetric encryption to sign your commits with a private key and verify them with a corresponding public key.
- SSH (Secure Shell): GitHub and some Git hosting services allow you to sign commits using your SSH key instead of GPG.
🔏 GPG Commit Signing Guide
GPG on Windows
- Install GPG:
- Download and install Gpg4win (which includes GPG and Kleopatra) for Windows.
- Generate a GPG Key:
- Open the Kleopatra application (it comes with Gpg4win).
- Go to File → New Certificate and choose Create a personal OpenPGP key pair.
- Follow the prompts to generate your GPG key, and make sure to set a passphrase for security.
- Configure Git to Use GPG:
- Open Git Bash and configure Git to use your GPG key:
1 2 3
git config --global user.signingkey YOUR_KEY_ID git config --global commit.gpgsign true # optional - to automatically sign every commit git config --global gpg.program "/c/Program Files (x86)/GnuPG/bin/gpg.exe"
- Open Git Bash and configure Git to use your GPG key:
- Add the GPG Key to GitHub:
- Export the public key from Kleopatra and copy it.
- Go to your GitHub settings → SSH and GPG keys → New GPG key and paste your public key.
- Sign Your Commits:
- To sign your commits, simply use the
--gpg-signflag:1
git commit --gpg-sign -m "Your commit message"
- To sign your commits, simply use the
GPG on macOS
- Install GPG:
- Install GPGTools from GPGTools.org.
- Generate a GPG Key:
- Open GPG Keychain and follow the prompts to generate a new key pair.
- Configure Git to Use GPG:
- Open the terminal and run:
1 2
git config --global user.signingkey YOUR_KEY_ID git config --global commit.gpgsign true # optional - to automatically sign every commit
- Open the terminal and run:
- Add the GPG Key to GitHub:
- Export your public key from GPG Keychain, copy it, and then add it to your GitHub account as mentioned earlier.
- Sign Your Commits:
- Use the following command to sign your commits:
1
git commit --gpg-sign -m "Your commit message"
- Use the following command to sign your commits:
GPG on Linux
- Install GPG:
- Install GPG using your package manager:
1 2 3
sudo apt-get install gnupg # For Debian/Ubuntu sudo yum install gnupg # For CentOS/RHEL sudo zypper install gnupg # For OpenSUSE/SLES
- Install GPG using your package manager:
- Generate a GPG Key:
- Run the following command to generate a key:
1
gpg --full-generate-key
- Run the following command to generate a key:
- Configure Git to Use GPG:
- After generating your key, list all GPG keys:
1
gpg --list-secret-keys --keyid-format LONG
- Configure Git to use your key:
1 2
git config --global user.signingkey YOUR_KEY_ID git config --global commit.gpgsign true # optional - to automatically sign every commit
- After generating your key, list all GPG keys:
- Add the GPG Key to GitHub:
- Export the public key:
1
gpg --armor --export YOUR_KEY_ID
- Copy and add it to your GitHub account as mentioned above.
- Export the public key:
- Sign Your Commits:
- Use the following command to sign your commits:
1
git commit --gpg-sign -m "Your commit message"
You can omit -S if you have chosen to sign every commit!
- Use the following command to sign your commits:
🔑 SSH Commit Signing Guide
SSH on Windows, macOS, and Linux
GitHub allows you to use your SSH key to sign commits. If you’re using SSH with GitHub, follow these steps:
- Ensure You Have an SSH Key:
- Check if you already have an SSH key by running:
1
ls -al ~/.ssh
- If you don’t have one, generate it using:
1
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
- Check if you already have an SSH key by running:
- Add Your SSH Key to GitHub:
- Copy your SSH public key (
~/.ssh/id_rsa.pub) and add it to GitHub under Settings → SSH and GPG keys → New SSH key.
- Copy your SSH public key (
- Configure Git to Use SSH for Signing:
- Configure Git to use your SSH key for signing commits:
1 2 3
git config --global gpg.format ssh git config --global user.signingkey YOUR_SSH_KEY_ID git config --global commit.gpgsign true # optional - to automatically sign every commit
- Configure Git to use your SSH key for signing commits:
- Sign Your Commits:
- Once configured, you can sign your commits with SSH using the following command:
1
git commit -S -m "Your commit message"
You can omit -S if you have chosen to sign every commit!
- Once configured, you can sign your commits with SSH using the following command:
⚖️ GPG vs. SSH: Pros and Cons
Both GPG and SSH provide a way to sign commits, but each has its own advantages and disadvantages.
🛡️ GPG
Pros:
- Widely supported: GPG is supported by all major Git hosting platforms (GitHub, GitLab, Bitbucket).
- Increased security: It uses strong encryption algorithms, ensuring the authenticity of commits.
- Better flexibility: GPG allows signing commits with specific identities and offers more granular control over signing.
Cons:
- Complex setup: Setting up GPG keys and configuring Git to use them can be a bit tricky, especially for beginners.
- Key management: You need to securely store and manage your private key, which can be cumbersome if you use multiple machines.
🔐 SSH
Pros:
- Simple setup: If you already use SSH keys for GitHub, signing commits with SSH is relatively easy to set up.
- No need for additional software: SSH key signing doesn’t require additional tools like GPG, and it integrates well if you’re already familiar with SSH for Git operations.
Cons:
- Limited support: SSH commit signing is currently only supported by GitHub and GitLab, so it’s less portable across different platforms compared to GPG.
- Less flexibility: SSH signing does not provide the same level of granularity or identity management as GPG.
🧠 Final Thoughts
Both GPG and SSH offer secure methods for signing your Git commits, with each having its own strengths and weaknesses. GPG is ideal for those who need a highly secure and flexible method for signing commits across multiple platforms, while SSH is great for those already integrated with GitHub and looking for a simpler setup.
Choose the method that best fits your workflow and security needs. Whether you go with GPG or SSH, commit signing is a great way to add an extra layer of trust and authenticity to your development process.