Signing commits
You can sign commits locally using GPG or S/MIME.
Note: GitHub Desktop does not support commit signing.
Tips:
To configure your Git client to sign commits by default for a local repository, in Git versions 2.0.0 and above, run git config commit.gpgsign true
. To sign all commits by default in any local repository on your computer, run git config --global commit.gpgsign true
.
To store your GPG key passphrase so you don't have to enter it every time you sign a commit, we recommend using the following tools:
- For Mac users, the GPG Suite allows you to store your GPG key passphrase in the Mac OS Keychain.
- For Windows users, the Gpg4win integrates with other Windows tools.
You can also manually configure gpg-agent to save your GPG key passphrase, but this doesn't integrate with Mac OS Keychain like ssh-agent and requires more setup.
If you have multiple keys or are attempting to sign commits or tags with a key that doesn't match your committer identity, you should tell Git about your signing key.
-
When committing changes in your local branch, add the -S flag to the git commit command:
$ git commit -S -m your commit message # Creates a signed commit
-
If you're using GPG, after you create your commit, provide the passphrase you set up when you generated your GPG key.
-
When you've finished creating commits locally, push them to your remote repository on GitHub Enterprise:
$ git push # Pushes your local commits to the remote repository
-
On GitHub Enterprise, navigate to your pull request.
-
On the pull request, click Commits.
-
To view more detailed information about the verified signature, click Verified.