← Back to Chapters

Git Signing Commits & Tags

? Git Signing Commits & Tags

? Quick Overview

Git allows you to sign commits and tags using cryptographic keys (GPG or SSH) to verify authorship and integrity. Signed commits help ensure that changes come from trusted sources and have not been tampered with.

? Key Concepts

  • Cryptographic signatures verify commit authenticity
  • GPG and SSH keys are supported
  • Signed commits build trust and auditability
  • Verification is possible at any time

? Syntax & Theory

When a commit or tag is signed, Git embeds a cryptographic signature generated using your private key. Others can verify this signature using your public key to confirm the author and integrity of the change.

? Code Examples

? Generate GPG Key 
# Generates a new GPG key for signing commits
gpg --full-generate-key
? Configure Git to Use GPG 
# Sets the default GPG key for Git signing
git config --global user.signingkey ABC123DEF4567890
? Sign a Commit 
# Creates a signed commit
git commit --gpg-sign
? Sign a Tag 
# Creates a signed Git tag
git tag -s v1.0.0 -m "Release version 1.0.0"

? Live Output / Explanation

Verification Result

Git will display a Good signature message along with the signer’s identity if the commit or tag is valid.

? Interactive Concept

Think of commit signing like digitally signing a legal document — anyone can read it, but only you can prove you signed it.

? Use Cases

  • Open-source contributions
  • Enterprise code auditing
  • Security-sensitive repositories
  • Compliance-driven projects

✅ Tips & Best Practices

  • Always sign commits in shared repositories
  • Back up your private keys securely
  • Verify commits before merging

? Try It Yourself

  • Generate a GPG key and configure Git
  • Create signed commits and tags
  • Verify commit signatures using Git log