Signing your git commits using your gpg key

Oct 4, 2017 using tags git, gpg

If you need to sign your git commits with your gpg key, hardware security keys such as Yubikey make this much easier to deal with.

If you haven’t already set it up, you might need to set your global git GPG ID using:

$ git config --global user.signingkey AABBCCDD

To find your own GPG ID: (e.g. my GPG ID is 52654E6EB0BB564B)

$ gpg --list-keys
pub   4096R/52654E6EB0BB564B 2016-12-13
uid                          Marvin Pinto <>
uid                          Marvin Pinto (git) <>
sub   2048R/E6217759DCE2D478 2016-12-13 [expires: 2017-12-13]
sub   2048R/26515E9EF2D0033C 2016-12-13 [expires: 2017-12-13]
sub   2048R/F705991D14C837D5 2016-12-13 [expires: 2017-12-13]

To gpg-sign and commit your changes at the same time:

$ git commit -v -S -s

This will also automatically add a Signed-off-by: Your Name <> line to your commit message.

To gpg-sign the most recent commit without editing:

$ git commit --amend --no-edit -S -s

To view which commits are signed in a commit tree:

$ git log --graph --pretty=format:"%C(yellow)%h %Creset%C(cyan)%G?%Creset %C(green)%ae%Creset %<(80,trunc)%s"
* 2533f82 G Example of a signed commit
* b96235a N Unsigned commit
* 8655782 N Unsigned commit

Starting from the most recent, non-interactively sign all the commits up to and including SHA:

$ git rebase --exec 'git commit --amend --no-edit -S -s' SHA

This is useful because it allows you to go back and sign all the commits on your working branch. Using the git alias I setup as an example, git signall my-dev-branch would gpg-sign each and every commit on the my-dev-branch branch.

Browse through my global gitconfig aliases for more ideas on optimizing your git workflow!