Skip to content
Latchkey

git verify-commit: Usage, Options & Common CI Errors

git verify-commit checks whether a commit carries a valid, trusted signature.

Pipelines that require signed commits use verify-commit as the gate. Its exit code is the contract: zero means a good signature, non-zero means missing, bad, or untrusted.

What it does

git verify-commit checks the cryptographic signature attached to a commit against your configured GPG or SSH keyring and reports validity, exiting non-zero if the signature is absent or cannot be trusted.

Common usage

Terminal
git verify-commit HEAD
git verify-commit -v <sha>
git verify-commit --raw <sha>
git log --show-signature -1

Options

FlagWhat it does
-v / --verbosePrint the commit and signature details
--rawMachine-readable GPG status lines
<commit>The commit to verify

Common errors in CI

error: <sha>: no signature found exits non-zero - the commit is simply unsigned. "gpg: Can’t check signature: No public key" means the signer’s key is not imported on the runner; import the allowed keys first. Trust matters: a valid signature from an unknown key still fails the gate.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →