Signing GitHub Commits with a GPG Key

Why you should sign your GitHub Commits with a GPG Key and how to set it up

By Stephan Schulze

Did you know that you can easily sign your GitHub commits with a GPG key?

Simply add the parameter -S to your git command:

git commit -S -m your message

The result will look like this:

List of verified commits inside a pull request
List of commits inside a pull request
The popup that appears when clicking the Verified button
Popup when clicking on the “Verified” button

Now, you might ask yourself: Why should I care about signing my GitHub commits? GitHub allows setting up the name and e-mail address of a commit’s author by configuration. This means that anyone could potentially use your e-mail address to commit changes to a repository. Signing your commits with a GPG key will verify you as the genuine author and thereby prevent abuse of your e-mail address and accordingly your identity.

Click here for a more detailed explanation of how to add a GPG key to your GitHub account.