Skip to main content

Configure signed commits

Git commit verification with SSH is a method of signing Git commits using SSH keys, which helps prove that a commit was created by the legitimate holder of a specific SSH key. Git added support for SSH signing starting from version 2.34, allowing developers to sign commits similarly to how they might use GPG keys. Here’s how you can set up and use SSH-based commit verification.

1. Check Git Version

Ensure that your Git version is 2.34 or later:

git --version

If you have an older version, update Git to use SSH signing.

2. Generate or Use an Existing SSH Key

If you don't have an SSH key, you can generate a new one:

ssh-keygen -t ed25519 -C "your_email@example.com"

You can also use an existing SSH key, especially if it’s associated with your GitHub/GitLab account, as they support SSH signing natively.

3. Add Your SSH Key to the SSH Agent

Make sure your SSH agent is running and add your key to it:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

Replace id_ed25519 with your specific key name if different.

4. Configure Git to Use SSH Signing

To enable SSH signing for your commits, configure Git to use your SSH key for signing. Add these lines to your Git configuration:

git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global gpg.format ssh
  • The user.signingkey should point to your public SSH key (~/.ssh/id_ed25519.pub).
  • The gpg.format ssh setting tells Git to use SSH for commit verification.

5. Sign a Commit with Your SSH Key

To sign a commit, use the -S option:

git commit -S -m "Your commit message"

You can make SSH signing the default for all commits by setting the following configuration:

git config --global commit.gpgSign true

Now, all your commits will be signed automatically.

6. Verifying SSH-Signed Commits

To verify SSH-signed commits, use:

git log --show-signature

Git will indicate whether a commit has been signed and if the signature is valid.

7. Adding the SSH Key to GitHub/GitLab for Verification

If you push to GitHub, GitLab, or similar services, you may need to add your public SSH key to their platform for them to verify your commits.

For GitHub:

  1. Go to Settings > SSH and GPG keys > New SSH key.
  2. Select Signing Key.
  3. Paste your public SSH key (e.g., ~/.ssh/id_ed25519.pub) into the provided field.

The contents of the file should look something like:

ssh-ed25519 AAAAC3... rest of the key ... user@example.com

With this setup, GitHub or GitLab will recognize commits signed with that SSH key and display a "Verified" badge on the commits.

8. Make a New Commit and Verify

  1. Make a new commit.
  2. Push it to GitHub.

You should now see that the commit is marked as “Verified”.