Uniporn's Blog

Here I write about stuff I do, think or wish others would do

Signing git commits with GPG

February 29, 2020 — Uniporn

This post aims at enabling you to sign your commits, sign past commits, removing accidental signatures and editing your config to do this with less active thought.


Within this post I presume you have set user.email and user.name and thereby know of the global config file (.gitconfig in your $HOME) and the repo specific config (.git/config in your repository) overriding global settings. From that I will give you all you should need to know how to sign future commits and add signatures to commits you did before knowing how to sign them. The benifit of signing your commits should be obvious to you once you set user.name with some arbitrary string that someone decided to be your name. You can put anything in there, so merely looking at git log gives you a mere fairy tale of who did some commit. To preserve proof to others and your future self wether or not you wrote some commit git is equipped to sign commits using GPG.

Setting the key to use

The relevant setting to know which key to use is user.signingKey. So now your config should look something like this:

    email = your@email.tld
    name = Bobby Fairytale
    signingKey = F348B9E7DD1CCE61A14E2C1D0A3AF5173C1DFE92

Now when you commit the default will for it not to be signed which you can override for a single commit using the -S flag like this: git commit -a -S -m"Bobby Fairytale is not my real name, but you can look at the signature to know it."

Making signed commits the default

But since at least during the same project you want all of your commits signed of course there is a way to make that default. For that set the setting commit.gpgSign to true. So now your config looks like this:

    email = your@email.tld
    name = Bobby Fairytale
    signingKey = F348B9E7DD1CCE61A14E2C1D0A3AF5173C1DFE92
    gpgSign = true

Commiting unsigned against your new default

Now all your future commits will be signed, unless you actively do not by overriding the setting using the -c flag that you can also use to override literally any setting for a single git command. So to commit unsigned now you will do like this: git -c 'commit.gpgSign=false' commit -am'maybe I am Bobby Fairytale? You will never know, because I did not sign this commit.'

Adding Signature to past commits

Now you probably have some reposirories where you want to add your signature to your commits. I actually didn't do this myself yet, so you will have to take my hint at the first answer at https://superuser.com/questions/397149/can-you-gpg-sign-old-commits (answered Sep 13 '16 at 14:32) with a grain of salt. However I used their command git commit --amend --no-edit -S to add a signature on the last commit on the branch you're currently at.

Undoing a signature

When you find yourself mistakeing wether you commited the changes you want signed, like I did, you may want to undo the signature, because the commit was someone else's. To do so again we will make use of the -c flag like this: git -c 'commit.gpgSign=false' commit --amend --no-edit.

Closing thoughts

So you see I did take the hints from StackOverflow, cross checked them with the man-page for git-commit and git-config but didn't use the part about rebasing so far. So as always with tutorials from the internet: use your own brain, cross check if possible, create a test system when not so. Be safe on your journey and happy signing.

Tags: tutorial, tools, git