Signing your commits in git

We’ll need your signature, mister

What do I need?

At the risk of being obvious, you need a gpg key. You might have one already if you sign your emails or store secrets in gopass.

Setting up the git configuration

I’m keeping work-related repositories in a different folder, using a conditional configuration. I recommend it because you split cleanly between work and personal stuff. This post contains extra details.

email =
signingkey = 7C58C79F397ED302595958045F0F068E59529E71
gpgsign = true

Visualizing signatures

There is a flag for git log that displays whether a commit is correctly signed (%G?). I use the following alias:

lg = log --pretty=format':%C(yellow)%h%Cred%d%Creset %C(green)%G?%Creset %s %C(cyan) %an, %ar%Creset'
43d4e36 (HEAD -> master) N fix typo Mario Fernandez, 13 hours ago b433463 (origin/master, origin/HEAD) N add on call talk Mario Fernandez, 4 days ago 
aae0b0c U Merge pull request #870 from sirech/dependabot/npm_and_yarn/eslint-7.22.0 dependabot-preview[bot], 7 days ago
showSignature = true


You can visualize this information in Github directly. You can add your gpg key following these instructions. It will end up looking like this:

That’s it?

Yes! If you don’t already have a gpg key, there is a bit of work involved. Honestly, you should probably have one. Adding some extra configuration and separating your config a bit is a good investment. Let's make our delivery a bit more secure, a small step at a time.

I develop software for a living. Then I go home and I continue reading about software, because I just cannot get enough. Nowadays I work for ThoughtWorks.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store