Git Signing

Signing a commit is like putting your personal signature on your work. It proves that you really made the change, and helps others trust your code. On platforms like GitHub or GitLab, signed commits often get a Verified badge.

GPG (GNU Privacy Guard) is a tool that lets you create a digital key, kind of like a secret password, to sign things. Git uses GPG keys to sign commits and tags. This helps prove your identity and ensures your code hasn't been tampered with.

To prove your commits really came from you To help others trust your code (especially in open source projects) Some companies or projects require signed commits for security If you don't sign, your commits are still valid, just not verified

(if you don't have one):

Example: Generate a New GPG Key gpg --full-generate-key Follow the prompts to create your key.

Example: List GPG Keys gpg --list-secret-keys --keyid-format=long

Tell Git to use your key:

Example: Set Signing Key git config --global user.signingkey <your-key-id>

To sign a commit, use:

To sign a tag, use:

If you want Git to sign every commit by default, run:

How to Check if a Commit is Signed To check in Git, run:

On GitHub or GitLab, look for a Verified badge next to your commit or tag.

Example: Signed Commit in Git Log commit 1234abcd5678efgh gpg: Signature made ...

Date: ...

GPG failed to sign the data: Make sure your GPG agent is running and your key is loaded.

Try searching for the error message online or check your Git and GPG installation.

Signed commits and tags help ensure your code hasn't been tampered with and confirm your identity as the author.