git verify-commit: Usage, Options & Common CI Errors
git verify-commit checks whether a commit carries a valid, trusted signature.
Pipelines that require signed commits use verify-commit as the gate. Its exit code is the contract: zero means a good signature, non-zero means missing, bad, or untrusted.
What it does
git verify-commit checks the cryptographic signature attached to a commit against your configured GPG or SSH keyring and reports validity, exiting non-zero if the signature is absent or cannot be trusted.
Common usage
git verify-commit HEAD
git verify-commit -v <sha>
git verify-commit --raw <sha>
git log --show-signature -1Options
| Flag | What it does |
|---|---|
| -v / --verbose | Print the commit and signature details |
| --raw | Machine-readable GPG status lines |
| <commit> | The commit to verify |
Common errors in CI
error: <sha>: no signature found exits non-zero - the commit is simply unsigned. "gpg: Can’t check signature: No public key" means the signer’s key is not imported on the runner; import the allowed keys first. Trust matters: a valid signature from an unknown key still fails the gate.