Skip to main content

Managing commit signature verification

GitHub will verify GPG, SSH, or S/MIME signatures so other people will know that your commits come from a trusted source. GitHub will automatically sign commits you make using the GitHub web interface.

About commit signature verification

Using GPG, SSH, or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub so other people can be confident that the changes come from a trusted source.

Displaying verification statuses for all of your commits

You can enable vigilant mode for commit signature verification to mark all of your commits and tags with a signature verification status.

Checking for existing GPG keys

Before you generate a GPG key, you can check to see if you have any existing GPG keys.

Generating a new GPG key

If you don't have an existing GPG key, you can generate a new GPG key to use for signing commits and tags.

Adding a GPG key to your GitHub account

To configure your account on to use your new (or existing) GPG key, you'll also need to add the key to your account.

Telling Git about your signing key

To sign commits locally, you need to inform Git that there's a GPG, SSH, or X.509 key you'd like to use.

Associating an email with your GPG key

Your GPG key must be associated with a GitHub verified email that matches your committer identity.

Signing commits

You can sign commits locally using GPG, SSH, or S/MIME.

Signing tags

You can sign tags locally using GPG, SSH, or S/MIME.