Sign your Github commits using GPG key

Sign your Github commits using GPG key

To insure that your commits are authentic and done by you not by someone else, you need to sign them. One way to do this is using GPG key.


  1. Install gpg tool on your operating system (for arch users it's simply sudo pacman -S gnupg for others you know what to do)
  2. Run gpg --full-generate-key It will interactively ask you some questions:
  3. Choose RSA algorithm
  4. Choose key size of 4096
  5. Choose 0 (key doesn't expire option or whatever you find suitable)
  6. Enter your name
  7. Enter your email
  8. Skip the comment section or just write what you want. It will look like this name (comment) <>
  9. Type o for (O)kay to continue
  10. Enter a passphrase and make sure you will remember it.
  11. gpg --list-secret-keys --keyid-format=long
  12. gpg --armor --export YOUR_KEY_ID
    • YOUR_KEY_ID is the hash in front of sec in previous command. (for example sec 4096R/234FAA343232333 => key id is: 234FAA343232333)
  13. Copy the output certificate and add it to you Github account (Settings > SSH and GPG keys -> New GPG Key) or just follow this link:
  14. In the same SSH and GPG keys page mark the checkbox Flag unsigned commits as unverified to make sure all you commits will appear as either verified or unverified** as shown in the picture. image.png
  15. Now to sign you commits you will have to add the -S flag to your git commit command e.g git commit -S -m "Hello word!"
  16. To avoid adding -S to your every commit command make signing the default behavior by running git config --global commit.gpgsign true

Done. All future commits made by you, will have the verified icon Screenshot_20210807_202434.png

Note: It's better to use gpg2 for all previous commands or add an alias for gpg so it points to gpg2


  • If you are getting this error error: gpg failed to sign the data then you might need to add the env var GPG_TTY=$(tty) to your shell profile e.g:
    export GPG_TTY=$(tty) >> ~/.bash_profile