Loading lesson path

Git•Git Advanced

Git Signing

Flash cards

Review the key moves

1/4

Core idea

What is the main idea behind Git Signing?

Lesson checks

Practice each idea before moving on

Short Mimo-style checks built from this lesson's code, terms, and sequence.

1Quick choice

Which statement best captures the main point of this lesson?

2Fill blank

Complete the missing token from the example code.

___ --full-generate-key

3Order

Put the learning moves in the order that makes the concept easiest to apply.

How to Sign Commits and Tags

How to Set Up Commit Signing

Why and When Should You Sign Commits?

What is Commit Signing?

Signing a commit is like putting your personal signature on your work.

It proves that you really made the change, and helps others trust your code.

On platforms like GitHub or GitLab, signed commits often get a Verified badge.

What is GPG?

GPG (GNU Privacy Guard) is a tool that lets you create a digital key, kind of like a secret password, to sign things.

Git uses GPG keys to sign commits and tags.

This helps prove your identity and ensures your code hasn't been tampered with.

Why and When Should You Sign Commits?

To prove your commits really came from you
To help others trust your code (especially in open source projects)
Some companies or projects require signed commits for security
If you don't sign, your commits are still valid, just not verified

How to Set Up Commit Signing

Create a GPG key (if you don't have one):

Example: Generate a New GPG Key

gpg --full-generate-key

Follow the prompts to create your key.

Example: List GPG Keys

gpg --list-secret-keys --keyid-format=long

Look for a line like sec rsa4096/1234ABCD5678EFGH . The part after the slash is your key ID.

Example: Set Signing Key

git config --global user.signingkey <your-key-id>

How to Sign Commits and Tags

To sign a commit, use:

git commit -S -m "message"

To sign a tag, use:

git tag -s v1.0 -m "version 1.0"

Sign All Commits Automatically

If you want Git to sign every commit by default, run:

git config --global commit.gpgSign true

How to Check if a Commit is Signed

To check in Git, run:

git log --show-signature

On GitHub or GitLab, look for a Verified badge next to your commit or tag.

Example: Signed Commit in Git Log

commit 1234abcd5678efgh
gpg: Signature made ...
gpg: Good signature from "Your Name <you@email.com>"
Author: Your Name <you@email.com>
Date: ...

Troubleshooting Signed Commits

GPG failed to sign the data: Make sure your GPG agent is running and your key is loaded.
Wrong key used: Double-check the key ID you set in Git.
Still stuck? Try searching for the error message online or check your Git and GPG installation.

Note

Signed commits and tags help ensure your code hasn't been tampered with and confirm your identity as the author.

Some platforms may require additional setup to recognize your signature (for example, uploading your public key to GitHub or GitLab).

Git LFS

Git Cherry-pick & Patch

Loading lesson path

Git•Git Advanced

Git Signing

Flash cards

Review the key moves

1/4

Core idea

What is the main idea behind Git Signing?

Lesson checks

Practice each idea before moving on

Short Mimo-style checks built from this lesson's code, terms, and sequence.

1Quick choice

Which statement best captures the main point of this lesson?

2Fill blank

Complete the missing token from the example code.

___ --full-generate-key

3Order

Put the learning moves in the order that makes the concept easiest to apply.

How to Sign Commits and Tags

How to Set Up Commit Signing

Why and When Should You Sign Commits?

What is Commit Signing?

Signing a commit is like putting your personal signature on your work.

It proves that you really made the change, and helps others trust your code.

On platforms like GitHub or GitLab, signed commits often get a Verified badge.

What is GPG?

GPG (GNU Privacy Guard) is a tool that lets you create a digital key, kind of like a secret password, to sign things.

Git uses GPG keys to sign commits and tags.

This helps prove your identity and ensures your code hasn't been tampered with.

Why and When Should You Sign Commits?

To prove your commits really came from you
To help others trust your code (especially in open source projects)
Some companies or projects require signed commits for security
If you don't sign, your commits are still valid, just not verified

How to Set Up Commit Signing

Create a GPG key (if you don't have one):

Example: Generate a New GPG Key

gpg --full-generate-key

Follow the prompts to create your key.

Example: List GPG Keys

gpg --list-secret-keys --keyid-format=long

Look for a line like sec rsa4096/1234ABCD5678EFGH . The part after the slash is your key ID.

Example: Set Signing Key

git config --global user.signingkey <your-key-id>

How to Sign Commits and Tags

To sign a commit, use:

git commit -S -m "message"

To sign a tag, use:

git tag -s v1.0 -m "version 1.0"

Sign All Commits Automatically

If you want Git to sign every commit by default, run:

git config --global commit.gpgSign true

How to Check if a Commit is Signed

To check in Git, run:

git log --show-signature

On GitHub or GitLab, look for a Verified badge next to your commit or tag.

Example: Signed Commit in Git Log

commit 1234abcd5678efgh
gpg: Signature made ...
gpg: Good signature from "Your Name <you@email.com>"
Author: Your Name <you@email.com>
Date: ...

Troubleshooting Signed Commits

GPG failed to sign the data: Make sure your GPG agent is running and your key is loaded.
Wrong key used: Double-check the key ID you set in Git.
Still stuck? Try searching for the error message online or check your Git and GPG installation.

Note

Signed commits and tags help ensure your code hasn't been tampered with and confirm your identity as the author.

Some platforms may require additional setup to recognize your signature (for example, uploading your public key to GitHub or GitLab).

Git LFS

Git Cherry-pick & Patch