Signing git commits and tags
Commit signing is a nice way to show proof you’re the author and build trust among your users and contributors. If you have a PGP setup it’s a must. It also allows you to get a Verified badge on the GitHub commit list.
And if you sign tags, you will get a badge near version numbers in the GitHub releases page, too.
Signing commits
You can sign a commit using
git commit -S -m 'some message'
or you can default to commit signing for the current repository
git config commit.gpgsign true
Of course, you can add --global
flag to set it for all repositories.
Signing tags
Here’s how you sign a tag. You will be asked for a message.
git tag -s 1.0.0
# OR
git tag -s 1.0.0 SOMECOMMITHASH
Since v2.23 (released in Q3 2019) Git supports a config setting to sign tags by default (commit).
git config tag.gpgSign true
Please note the cases for the ‘s’ letters in the commands above compared to the ones for commit signing.
An alternative
An alternative compatible with Git versions < 2.23 may be setting two aliases.
git config --global alias.cm 'commit -S'
git config --global alias.tag 'tag -s'
Hope it helps. Thanks for reading.