learn.colinkim.dev

Git: signing commits with SSH

Learn how to cryptographically sign your commits so GitHub can verify they actually came from you, using SSH keys you may already have.

By default, anyone can make commits that look like they came from you — Git only records the name and email you configure. Commit signing adds cryptographic proof that a commit genuinely came from someone who holds the signing key.

On GitHub, signed commits display a “Verified” badge. This proves the commit was not tampered with and came from an authenticated contributor.

SSH vs GPG signing

Git supports two signing methods:

  • SSH keys — simpler to set up, can reuse existing authentication keys
  • GPG keys — more powerful (supports expiration and revocation) but harder to configure

SSH signing is the easier starting point for most developers. This lesson covers SSH signing.

Generate a signing SSH key

If you already have an SSH key you use for authentication, you can reuse it for signing. Creating a dedicated signing key works too:

ssh-keygen -t ed25519 -C "you@example.com"

This generates a key pair in your ~/.ssh/ directory:

  • id_ed25519 — your private key (never share this)
  • id_ed25519.pub — your public key (you will upload this to GitHub)

Tell Git to use SSH for signing

Configure Git to use SSH signatures instead of GPG:

git config --global gpg.format ssh

Then point Git at your public key:

git config --global user.signingkey ~/.ssh/id_ed25519.pub

This tells Git which key to use when signing commits.

Enable automatic signing (optional)

By default, you must explicitly sign each commit with -S. If you want every commit signed automatically:

git config --global commit.gpgSign true

If you prefer to sign selectively, skip this step and use -S when needed.

Add your SSH key to GitHub as a signing key

For GitHub to display the “Verified” badge, it needs to know your public key. Upload it as a signing key:

  1. Copy your public key:
cat ~/.ssh/id_ed25519.pub
  1. Go to GitHub Settings > SSH and GPG keys > New SSH key.
  2. Paste the key and set the key type to “Signing Key” (not “Authentication Key”).

You can upload the same SSH key for both authentication and signing — they serve different purposes, and GitHub has no limit on signing keys per account.

Sign a commit

If you have not enabled automatic signing, sign a commit with -S:

git commit -S -m "Add login form"

To verify the signature locally:

git log --show-signature -1

This prints the signature details for the most recent commit.

What happens on GitHub

Push your signed commit to GitHub as usual:

git push

GitHub verifies the signature against the SSH keys registered to your account and displays a “Verified” badge next to the commit in the web interface:

abc1234 (Verified) Add login form

If your key is not registered on GitHub, the commit shows “Unverified” — the signature is cryptographically valid, but GitHub cannot confirm who owns the key.

What to carry forward

  • commit signing proves commits actually came from you and were not tampered with
  • SSH signing is easier to set up than GPG for most developers
  • configure Git with gpg.format ssh and user.signingkey pointing to your public key
  • add your public key to GitHub as a “Signing Key” for the “Verified” badge
  • sign commits with git commit -S or enable automatic signing with commit.gpgSign true
  • GitHub’s web-based “Rebase and Merge” creates new unsigned commits — sign locally for full coverage

Signing commits is not required to use Git well, but it is a good habit for projects where you want a verifiable history of who made what changes.

Progress

Quick checks

No quick checks in this lesson.

Mark lesson manually or answer quick checks to track progress.