When reviewing commit logs on GitHub, you’ve likely noticed a green “Verified” badge next to some commits. This label indicates that the commit has been cryptographically signed and confirmed to originate from a legitimate, validated user.
By default, Git allows developers to configure any name and email address they choose using simple commands like git config user.email. This means impersonation is trivial. To guarantee identity authentication and protect against unauthorized contributions, commit signing is highly recommended.
In this guide, we will explore how to set up Git commit signing using GPG or SSH keys to earn your own “Verified” badges on GitHub.
1. What is Commit Signing?
Commit signing uses public-key cryptography to append a digital signature to the commit data when you run a git commit command.
This guarantees two key security concepts:
- Non-repudiation: Verifies that the commit was indeed authored by the key owner.
- Data Integrity: Ensures that the commit metadata and file changes have not been modified or tampered with since the signature was applied.
While GPG (GNU Privacy Guard) keys were historically the only option, Git now natively supports using SSH keys for commit signing, making the setup much simpler for developers who already use SSH keys to push code. We will focus on SSH key signing in this guide.
2. Setting Up SSH Key Commit Signing
Step 1: Locate or Generate an SSH Key
Identify the path to your SSH public key (typically ~/.ssh/id_ed25519.pub). If you don’t have one, generate it using:
ssh-keygen -t ed25519 -C "[email protected]"
Step 2: Configure Git to Use SSH for Signing
Run the following commands to tell Git to sign commits using your SSH key:
# Instruct Git to use SSH as the cryptographic format
git config --global gpg.format ssh
# Point Git to your SSH public key file
git config --global user.signingkey ~/.ssh/id_ed25519.pub
Step 3: Enable Global Automatic Signing
To avoid having to type -S manually with every single commit, configure Git to sign all commits automatically:
git config --global commit.gpgsign true
3. Registering the Key with GitHub
For GitHub to verify the signatures, you must upload the public signing key to your profile:
- Copy the contents of your public key (e.g.,
cat ~/.ssh/id_ed25519.pub). - Navigate to your GitHub profile, then go to Settings > SSH and GPG keys.
- Click New SSH Key.
- In the Key type dropdown menu, select Signing Key (rather than Authentication Key).
- Paste your public key and click Add SSH key.
4. Verifying the Configuration
Create a dummy commit in a repository:
git commit -m "chore: test signed commit"
You can inspect the signature locally with the log command:
git log --show-signature -n 1
If successful, you will see a validation log starting with:
Good "git" signature for [email protected]...
Once pushed, GitHub will display the green “Verified” badge next to your commit.
Conclusion
Setting up commit signing is a quick, high-impact security upgrade. With the support of SSH-based signing in modern Git releases, configuring this safety net is simpler than ever. Protect your code identity and start signing your commits today.