Sign Git Commits with OpenPGP Key (GitHub)


In this tutorial I will describe how you can use Git to sign commits with an OpenPGP key. With this you can simply confirm that you really are the author. The commit is then displayed as signed on e.g. GitHub.

I’m going to assume that you’ve already created an OpenPGP key. Otherwise you can search the net for instructions, or get what you need from my tutorial on Nitrokey Pro 2.

Determine OpenPGP public key

In the console we can display the existing keys with the following command:

gpg --keyid-format long --list-keys

This should show you all available keys:

pub   rsa2048/AA10842DB9E8432A 2019-05-29 [SC]
uid              [ ultimativ ] John Doe <>
sub   rsa2048/FAE183B64746EEEE 2019-05-29 [E]

Copy the KeyID, in my case it would be “AA10842DB9E8432A”. Now we issue the public key with the following command, where you have to enter your KeyID:

gpg --armor --export AA10842DB9E8432A

Now copy the output completely and go to GitHub in the user settings under “SSH / GPG key”. There you add a new GPG key and copy the published publish key into the corresponding field. On the Gitea side we are now done with that.

Configure Git

In order for Git to sign the commits, we need to make a few settings on the user system. You can tell Git which key to use with the following command:

git config --global user.signingkey AA10842DB9E8432A

Here you have to enter your KeyID again. If you want to automatically sign all commits, you have to run the following command:

git config --global commit.gpgsign true

And finally:

echo 'export GPG_TTY=$(tty)' >> ~/.profile
source ~/.profile

Now you can start signing commits (if not automatically):

git commit -S -m TEXT
git push

If everything worked, you should see the commit as signed on GitHub.

Github signed commit


You can use your Mastodon account to reply to this Post.