Signing git commits with SSH keys

Posted on April 23, 2025

Git commit signing is a great way to prove the authenticity of your commits. While GPG has long been the standard, SSH signing is a newer and simpler alternative that uses the SSH keys you may already use for authentication. In this guide, we’ll walk through setting up SSH signing for Git on your local machine.

Why Sign Git Commits?

Signed commits ensure that:

  • The commit was made by you.
  • The commit hasn’t been tampered with.
  • Other collaborators can verify your identity.

This is especially important in open-source projects or collaborative teams where trust and traceability matter.

Prerequisites

  • Git 2.34+ (run git --version to check)
  • An existing SSH key pair (or create one)
ssh-keygen -t ed25519 -C "your_email@example.com"

1. Find Your SSH Public Key

First, locate your SSH public key (usually in ~/.ssh):

cat ~/.ssh/id_ed25519.pub

You’ll need this for the next step.

2. Add the SSH Key to Git as a Signing Key

Tell Git to use your SSH key for signing:

git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub

Replace ~/.ssh/id_ed25519.pub with the path to your actual SSH public key if different.

3. Enable Commit Signing

You can configure Git to sign all commits by default:

git config --global commit.gpgsign true

Or enable it per repository:

git config commit.gpgsign true

4. Make a Signed Commit

Create a test commit to verify everything works:

echo "test" > test.txt
git add test.txt
git commit -S -m "Test commit with SSH signing"

5. Verify the Signature

You can verify a commit with:

git log --show-signature

You should see something like:

gpg: Signature made ...
gpg:                using EDDSA key ...
Good signature from "Your Name <your_email@example.com>"

Troubleshooting Tips

  • If signing fails, double-check the key path.
  • Ensure your Git version supports SSH signing (2.34+).
  • Make sure your SSH key has the correct permissions (chmod 600 ~/.ssh/id_ed25519).
  • GitHub will only show the “Verified” badge if your signing key is added to your profile.

You’re Signed and Secure!

That’s it! Your commits are now cryptographically signed using your SSH key, offering both security and simplicity.

devops git ssh
Tags
debian (3) development (1) devops (18) docker (2) git (6) interview (2) javascript (3) linux (7) mongodb (3) programming (9) python (6) ssh (2) sysadmin (9) traefik (1) version-control (1) wsl (1)