What Is a Signed Commit?
A signed commit carries a cryptographic signature proving it really came from the claimed author and has not been altered.
A signed commit adds a layer of trust to Git history. Because anyone can set any name and email on a commit, the author field alone proves nothing. A cryptographic signature, using a GPG, SSH, or other key, lets others verify that a commit genuinely came from you.
Why signing matters
Git lets you set arbitrary author details, so a commit attributed to someone may not be theirs. Signing closes this gap: the signature is tied to a key only the real author controls, so a verified signature is strong evidence of authenticity and that the commit was not tampered with.
Creating a signed commit
With a signing key configured, you sign a commit and others can verify it.
git commit -S -m "Add billing webhook handler"
git log --show-signature -1How verification works
The signature is checked against the author's public key. Hosting platforms display a verified badge when a commit's signature matches a key the author has registered. You can configure your tooling to sign automatically so every commit you make is trustworthy by default.
Signed commits in CI/CD
In supply-chain-conscious pipelines, CI can require that commits and tags be signed and reject unsigned ones, ensuring only verified code is built and released. Combined with signed release tags, this gives a provable chain of custody from author to shipped artifact, a growing expectation for secure software delivery.
Signing best practices
- Configure a signing key and enable automatic signing.
- Register your public key with your hosting platform.
- Sign release tags as well as commits for full provenance.
- Enforce signature checks in CI for sensitive repositories.
Key takeaways
- A signed commit cryptographically proves its author and integrity.
- Verification checks the signature against the author's public key.
- CI can require signed commits and tags for supply-chain security.