Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

You must sign every code change, in the form of a Git commit, using a GPG key. 

How to sign Git commits

Install gpg (or gpg2)

if you have a package manager such as brew or yum, you can just do:


(sudo yum)/(brew) install gpg

That should be it. Otherwise, download it from here:  Scroll down to “binary releases”; Mac users select “GnuPG for OSX”; Windows users select “gpg4win”.  This will either install ‘gpg’ or ‘gpg2’ on your system. Most of the commands that you’ll see online use the old gpg program so we suggest creating an alias called ‘gpg’ if you got gpg2. 

Generate your GPG key

  1. Open in another tab

  2. On your terminal window type: gpg --gen-key
  3. If you have the old version of gpg (The prompt asks you the type of key you want) then follow steps 4 to 7 from the GitHub link above. For those with newer versions of gpg (gpg2) the prompt will just say enter your real name, so do not follow steps 4 to 7 from the page above.  Use your GitHub verified email ID
  4. Follow the rest of the steps from the link above to get your key.

Add your GPG key to your GitHub account Go to (

  1. Just follow the steps mentioned in the link above, they are fairly straightforward
  2. After you add the GPG key to GitHub, check whether you see “unverified” next to your key’s email ID.  If so, you entered the wrong email ID while generating your key.  Please generate a new key with the correct email address

Tell Git about your GPG key

  1. Open in another tab
  2. If you installed gpg2 instead of gpg, execute this command from your terminal: 


    git config --global gpg.program gpg2

    For some systems such as Windows, you may need to use gpg instead of gpg2: 


    git config --global gpg.program gpg

    Follow the instructions on the page above.

Publish your newly-created GPG key


gpg2 --list-keys
pub   rsa2048/<GPG public key ID> 2016-05-27 [SC]
uid         [ultimate] user1

gpg2 --keyserver --send-keys <GPG public key ID>
gpg: sending key <GPG public key ID> to hkp://

Check Your Key

You can check to see whether the key was sent using the web page at or by doing a "dry run" receive of the key: 

<your machine>:~ <your username>$ gpg2 --keyserver --dry-run --recv-keys ADB9AFED
gpg: requesting key ADB9AFED from hkp server
gpg: key ADB9AFED: "<your name>  <your email>@<your>" 1 new signature
gpg: Total number processed: 1
gpg:         new signatures: 1

(Recommended) Set up Automatic Signing

To remove the hassle of always remembering to sign your commits, you can configure Git to sign all your commits automatically as you create them.


git config –global commit.gpgsign true

(Recommended) Be Prepared in Case Key is Compromised

Store GPG key or create and store revocation certificate

If your GPG key is ever compromised, you'll want to revoke that key.  You use your GPG key key to create a revocation certificate.  Since your GPG key is encrypted, you can keep a copy and its password. However, in case you lose your key, we recommend making a revocation certificate before you need it.  The exact procedure for generating a revocation certificate varies depending on what GPG software you are using.  Here's a useful page on creating a revocation certificate.  You can use this command:

gpg2 --output revoke.asc --gen-revoke KEYNAME 

Make a backup of the revocation certificate and store it securely, for example on non-volatile, removable media.

Revoke your key if it is compromised

  1. Generate a revocation certificate or use your pre-generated revocation certificate, and upload that to the keyserver, for example,
  2. Update your user profile on GitHub.
  3. Send an email to

Sign Your Commits

You are all set!  Now you can sign your commits. For the Git commands to sign commits, see

For more information on GPG and Git signatures, see

If You Lose Your Key and Create a New Key

Do not delete your old key from GitHub while you are in the process of adding the new key; if you do, all of the commits signed using the old key will show as "unverified". 

If you did delete it from GitHub, but you previously published it to the MIT server, you can recover the key from the MIT server and add it back to your GitHub account: on, search using your email ID. This will retrieve all the keys published.  Copy the desired key and add it to your Github account.

Sign Your Commits

You are all set!  Now you can sign your commits. For the Git commands to sign commits, see

For more information on GPG and Git signatures, see

Site Map

Developer Guide Pages