Note: GitHub Desktop only supports commit signing if your Git client is configured to sign commits by default.
To configure your Git client to sign commits by default for a local repository, in Git versions 2.0.0 and above, run
git config commit.gpgsign true. To sign all commits by default in any local repository on your computer, run
git config --global commit.gpgsign true.
To store your GPG key passphrase so you don't have to enter it every time you sign a commit, we recommend using the following tools:
- For Mac users, the GPG Suite allows you to store your GPG key passphrase in the Mac OS Keychain.
- For Windows users, the Gpg4win integrates with other Windows tools.
You can also manually configure gpg-agent to save your GPG key passphrase, but this doesn't integrate with Mac OS Keychain like ssh-agent and requires more setup.
If you have multiple keys or are attempting to sign commits or tags with a key that doesn't match your committer identity, you should tell Git about your signing key.
- When committing changes in your local branch, add the -S flag to the git commit command:
$ git commit -S -m "YOUR_COMMIT_MESSAGE" # Creates a signed commit
- If you're using GPG, after you create your commit, provide the passphrase you set up when you generated your GPG key.
- When you've finished creating commits locally, push them to your remote repository on GitHub:
$ git push # Pushes your local commits to the remote repository
- On GitHub, navigate to your pull request.
- On the pull request, click Commits.
- To view more detailed information about the verified signature, click Verified.