Signing git commits and tags

Show proof of your identity... and get the 'verified' badges on GitHub
Published on November 22, 2021 in How-tos
Read time: 1 min
Tags:

Releases page and signed commits of the VSCode repository on GitHub
Releases page and signed commits of the VSCode repository on GitHub

Commit signing is a nice way to show proof you’re the author and build trust among your users and contributors. If you have a PGP setup it’s a must. It also allows you to get a Verified badge on the GitHub commit list.

And if you sign tags, you will get a badge near version numbers in the GitHub releases page, too.

Signing commits

You can sign a commit using

git commit -S -m 'some message'

or you can default to commit signing for the current repository

git config commit.gpgsign true

Of course, you can add --global flag to set it for all repositories.

Signing tags

Here’s how you sign a tag. You will be asked for a message.

git tag -s 1.0.0
# OR
git tag -s 1.0.0 SOMECOMMITHASH

Since v2.23 (released in Q3 2019) Git supports a config setting to sign tags by default (commit).

git config tag.gpgSign true

Please note the cases for the ‘s’ letters in the commands above compared to the ones for commit signing.

An alternative

An alternative compatible with Git versions < 2.23 may be setting two aliases.

git config --global alias.cm 'commit -S'
git config --global alias.tag 'tag -s'

Hope it helps. Thanks for reading.



Comments

Got some words you want to share? Tell me!