All articles
git

How to Sign Your Git Commits with SSH Keys (No GPG Hassle)

Share this article

Share on LinkedIn Share on X (formerly Twitter)

You have likely seen the "Verified" badge next to commits on GitHub. While GPG was the standard for this, it can be complex to set up. If you already use SSH keys, you can now use them to sign your commits directly. It is simpler, faster, and just as secure.

Why This Matters

  • Prove authorship: Ensure others that the code actually came from you.
  • Verified Badge: Get that cool green checkmark next to your commits on GitHub/GitLab.
  • Simpler than GPG: No need to manage complex key rings; reuse your existing SSH keys.

Step 1: Verify Your SSH Key

Ensure you have an SSH key added to your agent and GitHub (see our previous guides).

# Check if you have SSH keys available
ls -al ~/.ssh
 
# Ensure the key is added to the agent
ssh-add -l

Step 2: Configure Git to Use SSH for Signing

Tell Git to use your SSH key for signing operations.

# Set the signing format to SSH
git config --global gpg.format ssh
 
# Tell Git which SSH key to use for signing
# Note: You must point to the PUBLIC key (.pub file)
git config --global user.signingkey ~/.ssh/id_ed25519.pub

If you have multiple keys (e.g., work and personal), you should set this locally per repository instead of globally:

cd ~/projects/work-project
git config user.signingkey ~/.ssh/id_gitlab_work.pub

Step 3: Sign a Commit

Now you can sign your commits.

# Commit with the -S flag to sign
git commit -S -m "Add new feature with verified signature"
 
# Or enable signing for all commits automatically
git config --global commit.gpgsign true

Alternative: Manually Edit the Global Git Config File

If you prefer editing configuration files directly instead of using git config commands, you can manually add these settings to your global .gitconfig file.

  1. Locate the file:

    • Linux/macOS: ~/.gitconfig
    • Windows: C:\Users\YourUsername\.gitconfig

  2. Open the file in your favorite text editor.

  3. Add the following configuration block (replace the key path with your actual public key path):

    [gpg]
    format = ssh
[user]
    signingkey = ~/.ssh/id_ed25519.pub
[commit]
    gpgsign = true

This achieves the same result as the commands in Step 2 and Step 3.

Step 4: Verify the Signature

Check that the commit was signed correctly.

# View the log with signature information
git log --show-signature
 
# You should see output indicating "Good signature"

When you push this to GitHub, you will see the "Verified" badge appear next to your commit.

⚠️ Important Reminders

  1. Public Key Path: When setting user.signingkey, ensure you point to the .pub file. If you point to the private key, Git might complain depending on the version.
  2. Agent Required: Your SSH key must be loaded in the ssh-agent for signing to work without a password prompt every time.

Pro Tips

  • If signing fails with "error: gpg failed", ensure gpg.format is set to ssh.
  • On GitHub, go to Settings -> SSH and GPG keys and make sure the key you are using is listed there.
  • This feature is supported in Git version 2.34+ and GitHub/GitLab.

Ditch GPG and start signing with the keys you already use! 🎉

Comments