Why You Should Sign Your Commits Today
To be honest, I used to be very hesitant about signing commits. While I craved that professional green “Verified” badge on GitHub, dealing with GPG (GNU Privacy Guard) was a nightmare. Managing keys, renewing them, or syncing them across computers was a real pain.
Everything changed with Git version 2.34 (released in late 2021). Git now officially supports signing commits with SSH keys. This is something almost every developer already has on their machine for pushing code. No extra software to install, no complex GPG commands to learn.
Did you know that identity in Git is extremely loose? With just two commands, git config user.name and git config user.email, anyone can impersonate you. I once saw an intern play a prank by posing as the Tech Lead to commit buggy code. The whole team spent the morning tracking down the culprit because the logs showed the boss’s name, but the code… looked very suspicious. Signing commits ensures authenticity: it proves the code was definitely written by you and cannot be forged.
Signing commits with SSH keys offers three clear benefits:
- Leverage existing tools: Use the same SSH key (like Ed25519) you already use to push code.
- Lightning-fast setup: Takes less than 2 minutes to configure.
- Wide support: GitHub, GitLab, and Bitbucket all support displaying the green badge for this method.
Prerequisites
Your computer needs Git version 2.34 or higher. Check your version now with the following command:
git --versionIf you have an older version, update it immediately. Next, you need an SSH key pair. I recommend the Ed25519 algorithm. It’s both faster and more secure than the old RSA standard (Ed25519 is only 256-bit but offers security equivalent to RSA 3072-bit):
ssh-keygen -t ed25519 -C "[email protected]"Pro Tip: Always set a passphrase for your key. It’s the final layer of protection if your computer ever falls into the wrong hands.
3 Steps to Configure Commit Signing
We will tell Git to switch from the default signing mechanism (GPG) to SSH with a few simple commands.
Step 1: Switch signing format to SSH
git config --global gpg.format sshStep 2: Specify the Signing Key
Point Git to your Public Key file (the one ending in .pub):
git config --global user.signingkey ~/.ssh/id_ed25519.pubNote: On Windows, the path is usually C:/Users/Your_Name/.ssh/id_ed25519.pub.
Step 3: Enable Automatic Signing
Don’t bother typing the -S flag every time you commit. Enable it automatically for all projects:
git config --global commit.gpgsign true
git config --global tag.gpgsign trueConfiguration on GitHub/GitLab
This is the key step to getting that green badge. GitHub manages SSH keys for pushing code and SSH keys for signing separately, even if you use the same key for both.
- Go to Settings -> SSH and GPG keys on GitHub.
- Click New SSH Key.
- Under Key type, this is crucial: Select Signing Key.
- Paste the contents of your
id_ed25519.pubfile and save.
Verify the Results
Try creating a new commit and verify the signature locally:
git commit -m "Test signing with SSH"
git log --show-signature -1If you see the line Good signature from SSH key..., you’ve succeeded. However, Git might show a warning about allowed_signers. To resolve this and make Git trust yourself, do the following:
# Create a file to store the list of trusted keys
touch ~/.ssh/allowed_signers
# Add your email and key to the file
echo "$(git config --get user.email) $(cat ~/.ssh/id_ed25519.pub)" >> ~/.ssh/allowed_signers
# Declare this file to Git
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signersNow, when you push to GitHub, you’ll see the green Verified badge next to your commit. It doesn’t just make your profile look professional; it’s a strong statement of source code ownership. Don’t forget to copy your key pair when switching computers to keep your commit history consistent!
