Skip to content

Signing commits

Jump to bottom
Chuck Bridgham edited this page Oct 23, 2025 · 17 revisions

Very soon we'll be enforcing signed commits (For both GitHub and GitHub Enterprise) - many have set this up already.

How do I know if I'm already setup?

  1. Look for a commit done by you pushed from your local machine in GH UI - It will show "Verified". If you see this then you are done thanks for your time!
A verified signed commit in github

  1. Not sure? Run the git config --list command and look for these properties - especially with these keys

    • user.name=Chuck Bridgham # Full Name
    • [email protected] # Use your IBM email
    • user.signingkey=/Users/chuckbridgham/.ssh/id_ed25519.pub # Key being used
    • gpg.format=ssh # The format of the key - if already using gpg style key, skip adding this
    • commit.gpgsign=true # Will always sign all commits automatically

OK I'm not setup What now?

ssh key signing

Using an SSH key is the simplest setup for commit signing. You can also use GPG keys, but setup is much more involved.

Users who aren't setup won't have the Signing Keys section in the account settings. They'll need to add it by clicking New SSH Key and choosing Signing Key from Key type dropdown on the Add SSH Key panel. There should be a key listed under "Signing key". If this key in place was created using a non-ibm email - you should create a new key and upload again.

Existing SSH Keys

If you need to create a new SSH key, run this command, specifying your IBM email:

`ssh-keygen -t ed25519 -C "[email protected]"`

Then add the key under "Signing key" in account settings (Above picture)

Run these commands:

  • Set the format to SSH

    git config --global gpg.format ssh

  • Identify which key to use (You can use your existing key used for ssh authentication)

    git config --global user.signingkey ~/.ssh/id_ed25519.pub

  • Sign all commits by default

    git config --global commit.gpgsign true

Optional: What if I want to sign previous commits? (After doing the setup you can use the "-S" flag that will "gpg-sign" the commit.)

  • git commit -S --amend # to amend previous commit
  • git rebase -S HEAD~2 # sign last two commits

Optional: To verify your signed commits in git log (git log --show-signature) you need to create a "allowed_signers" file that lists the email / pub key.
Example "allowed_signers" contents:
[email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAmaTS47vRmsKyLyK1jlIFJn/i8wdGQ3J49LYyIYJ2hv

Then add this property pointing git to this file:
git config --global gpg.ssh.allowedSignersFile "$(pwd)/allowed_signers"

Clone this wiki locally