[Git] How to Sign Existing Git Commits with GPG Key

Have you ever wanted to add that extra layer of authenticity to your Git commits by signing them with a GPG key? Maybe you forgot to sign a commit and now you’re stuck thinking, “Do I have to rewrite history for this?” Well, yes — but it’s easier than you think. Let’s dive in and get it done.

Why Sign Commits?

First, a quick refresher: Signing commits with a GPG key proves that the commit really came from you. It’s a great way to verify authenticity, especially for collaborative projects or open-source contributions.

Now, on to the fun part — signing an existing commit.

Step 1: Set Up Your GPG Key (If You Haven’t Already)

Before you can sign anything, you need a GPG key. Here’s the quick rundown:

  1. Generate a key:
gpg --full-generate-key

Follow the prompts to create your key. Choose RSA and RSA, set the key size to 4096, and pick an expiration date that works for you.

  1. List your keys to grab the ID:
gpg --list-secret-keys --keyid-format=long

You’ll see something like this:

sec   rsa4096/ABC123456789DEF0 2024-11-26 [SC]

The ABC123456789DEF0 part is your GPG key ID.

  1. Tell Git to use this key:
git config --global user.signingkey ABC123456789DEF0
  1. Commit with signing:

When you make a commit, use the -S flag to sign it:

git commit -S -m "Your commit message here"

This will sign the commit with your configured GPG key.

  1. (Optional) Enable auto-signing for all commits:
git config --global commit.gpgsign true

Step 2: Sign all commits in a Pull Request

Now if the commit you want to sign is part of a pull request (PR) and it’s an earlier commit, you can still use interactive rebase to sign it. However, you’ll need to be cautious, especially if others are working on this branch, as rewriting history can affect shared branches. Assuming it’s safe to proceed, here’s how you can do it:

  1. Ensure your branch is up to date:

Run git fetch origin to ensure your local branch is up to date with the remote.

  1. Start an interactive rebase:

Determine how far back the commit is in your branch using git log –oneline, then start an interactive rebase:

git rebase -i HEAD~n

Replace n with the number of commits back to the commit you want to sign.

  1. Edit the commit:

In the editor that opens, locate the commit you want to sign and change pick to edit.

  1. Sign and amend the commit:

When the rebase pauses, sign the commit using:

git commit --amend --no-edit -S
  1. Continue the rebase:

After signing the commit, run:

git rebase --continue
  1. Force push the changes:

Since this involves rewriting history, you’ll need to force push your branch to the remote PR branch:

git push origin <your-branch-name> --force

Step 3: Verify Your Signed Commit

To double-check that everything worked:

  1. View the commit signature in the log:
git log --show-signature

You should see something like:

gpg: Signature made Tue Nov 26 12:00:00 2024 UTC
gpg:                using RSA key ABC123456789DEF0
gpg: Good signature from "Your Name <you@example.com>"
  1. If the commit isn’t signed, go back and make sure your GPG key is properly configured in Git.

Wrapping Up

And that’s it! Signing Git commits with GPG keys is a small step that can make a big difference in ensuring code authenticity. Whether it’s for personal projects, team workflows, or open-source contributions, it’s a good practice to adopt.


If this post helped you to solve a problem or provided you with new insights, please upvote it and share your experience in the comments below. Your comments can help others who may be facing similar challenges. Thank you!
Buy Me A Coffee
DigitalOcean Referral Badge
Sign up to get $200, 60-day account credit !