Skip to content
Latchkey

What Is a Signed Commit?

A signed commit carries a cryptographic signature proving it really came from the claimed author and has not been altered.

A signed commit adds a layer of trust to Git history. Because anyone can set any name and email on a commit, the author field alone proves nothing. A cryptographic signature, using a GPG, SSH, or other key, lets others verify that a commit genuinely came from you.

Why signing matters

Git lets you set arbitrary author details, so a commit attributed to someone may not be theirs. Signing closes this gap: the signature is tied to a key only the real author controls, so a verified signature is strong evidence of authenticity and that the commit was not tampered with.

Creating a signed commit

With a signing key configured, you sign a commit and others can verify it.

Signing and verifying a commit
git commit -S -m "Add billing webhook handler"
git log --show-signature -1

How verification works

The signature is checked against the author's public key. Hosting platforms display a verified badge when a commit's signature matches a key the author has registered. You can configure your tooling to sign automatically so every commit you make is trustworthy by default.

Signed commits in CI/CD

In supply-chain-conscious pipelines, CI can require that commits and tags be signed and reject unsigned ones, ensuring only verified code is built and released. Combined with signed release tags, this gives a provable chain of custody from author to shipped artifact, a growing expectation for secure software delivery.

Signing best practices

  • Configure a signing key and enable automatic signing.
  • Register your public key with your hosting platform.
  • Sign release tags as well as commits for full provenance.
  • Enforce signature checks in CI for sensitive repositories.

Key takeaways

  • A signed commit cryptographically proves its author and integrity.
  • Verification checks the signature against the author's public key.
  • CI can require signed commits and tags for supply-chain security.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →