How does this work with my CI / GitHub Actions release signing?

CI signing typically uses a separate, narrowly-scoped key (often just a signing subkey of your main identity) installed on the runner. Generate the subkey via desktop gpg, export only that subkey's secret, store as an encrypted CI secret. PGPony holds the primary key offline; the CI never has access to it. This matches what most projects do: the human signs releases with the primary, the CI signs nightly builds with a subkey that can be revoked without disturbing the primary.

What about multiple identities (work, personal, open source)?

Separate keys is the conventional approach — each identity has its own fingerprint, its own User IDs, and lives in its own context. PGPony handles multiple keys in the same keyring; pick a default and use the others contextually. Some developers use one key with multiple User IDs (work@company.com + personal@example.org on the same key) instead; that's fine too but couples the identities.

Why do I see "Unverified" even though my commit is signed?

Three common causes: (1) the git author email doesn't match a User ID on your PGP key — fix with git config --global user.email ; (2) the public key isn't uploaded to GitHub/GitLab — upload it via Settings → SSH and GPG keys; (3) the signing key on the laptop doesn't match the public key uploaded — verify with git log --show-signature locally first.

// for / developers

PGP for developers.

Signed commits with the GitHub Verified badge. Signed release artifacts your packagers can verify. Encrypted security disclosures you can read on the train. PGPony is the mobile half of the workflow — same key as your laptop's gpg, available from anywhere, gated by biometric and a passphrase.

Software signing Verified commits Mobile + desktop

The workflow this addresses.

You sign commits and releases with PGP because your project's downstream packagers and your users care about authenticity. The key lives in gpg on your laptop because that's where git runs. But your mobile workflow exists too: a security disclosure lands while you're away from the desk; a maintainer messages you encrypted; an incident response starts at 11pm on a Saturday. You want to be able to read those messages without SSHing in from your phone.

PGPony holds the same key your laptop has — same fingerprint, same User IDs — secured in iOS Keychain or Android Keystore. You decrypt on the phone; you keep signing on the laptop (since that's where the source lives). The two halves of the workflow stay in sync because they're literally the same key.

What OpenPGP does for you here, and what it doesn't.

// gives you

Signing + verification

Signed git commits + tags, with GitHub / GitLab / Bitbucket Verified badge once the public key is uploaded.
Signed release artifacts (.tar.gz + .sig) for downstream packagers to verify.
Mobile decryption of security disclosures and encrypted maintainer correspondence.
One identity across git forges, package registries, and email — your fingerprint is the canonical ID.
Cross-platform same key on iOS, Android, and any desktop with gpg — import once, use everywhere.
OpenPGP v6 import support today (RFC 9580), so you can already work with v6 keys from collaborators who've upgraded.

// does not give you

Not in scope

Mobile commit signing. Git is on the desktop. PGPony is the key, not the signer. (You can sign messages on mobile, just not git operations.)
Hardware token signing. YubiKey / smartcard support is planned for PGPony v6.0; today, soft-key only.
Reproducible builds. Orthogonal concern — signing attests to authorship, not bit-for-bit reproducibility of the build.
Account-level supply-chain protection. A signed release proves the release came from your key. It doesn't protect against a hijacked GitHub account publishing through your project.
Per-operation hardware attestation. Software keys can be exfiltrated by a compromised host. For high-value keys, a hardware token raises the bar.

A concrete workflow.

Decide on key structure. Single identity covers most developers — one primary key, signing + encryption subkeys, multiple User IDs (work + personal) if you want one fingerprint everywhere. Separate keys per identity if you want clearer compartmentalization.
Generate the key. If you don't already have one, generate in PGPony (iPhone guide, Android guide) or via desktop gpg. Ed25519 + Curve25519 is the modern default — small keys, fast generation, universal support.
Import to desktop gpg. Export from PGPony, transfer to your dev machine, gpg --import your-key.asc. See Sign Git commits with PGP for the full sequence.

Configure git.

git config --global user.signingkey YOUR_FINGERPRINT
git config --global commit.gpgsign true
git config --global tag.gpgsign true
git config --global user.email you@yourdomain.com

The user.email must match a User ID on your key or platforms will show "Unverified".

Upload the public key to each forge. GitHub: Settings → SSH and GPG keys. GitLab: Preferences → GPG Keys. Bitbucket: Personal settings → GPG keys. The Verified badge appears on commits from matching emails.
Publish your fingerprint in your README, your project's release page, and any contact-info section of your site. Downstream packagers and users verify against this. See Publish your public key.
(Optional) Set up WKD on your project domain so maintainers and users can encrypt to you without manual key lookup. See Set up WKD for your domain.
For release signing, the same desktop gpg signs your tarballs:
```
gpg --detach-sign --armor my-release-1.0.tar.gz
# produces my-release-1.0.tar.gz.asc — ship both
```
Downstream packagers verify with gpg --verify my-release-1.0.tar.gz.asc my-release-1.0.tar.gz.
On mobile, use PGPony to decrypt security disclosures and encrypted mail from maintainers and contributors. The Decrypt tab handles both encrypted text and clearsigned-only messages.

CI / GitHub Actions signing.

For automated release signing, generate a separate signing subkey of your primary key (or a separate dedicated key) and install only that on your CI runner. The CI never sees your primary secret key.

# On desktop gpg, add a signing subkey
gpg --edit-key YOUR_FINGERPRINT
gpg> addkey
# pick: 4 (RSA sign only) or 10 (ECC sign only)
gpg> save

# Export ONLY the secret subkey for CI
gpg --export-secret-subkeys --armor SUBKEY_ID! > ci-signing.asc
# store as an encrypted CI secret (GitHub Actions Secrets, GitLab CI Variables, etc)

The ! after the subkey ID is required by gpg's export syntax. The primary secret stays on your machine and in PGPony. If the CI is ever compromised, you revoke only the subkey — the primary identity stays intact.

Is PGPony right for your dev workflow?

// yes if

You sign commits and want the Verified badge
You sign release artifacts for downstream packagers
You receive encrypted security disclosures and want mobile access
You want one identity across forges, registries, and email
You want to keep using your existing PGP key on more devices

// not the right tool if

You only need GitHub Verified badge → SSH signing is simpler
Hardware token signing is a hard requirement (wait for v6.0 or use desktop gpg + YubiKey)
You want to sign git commits from your phone (not possible — git is desktop-only)
Your CI pipeline is the only signer (use a dedicated subkey, not PGPony)

Common questions from developers.

Why not just use SSH signing for git?

Git 2.34+ supports SSH key signing, and it's simpler if all you need is the GitHub Verified badge with an existing SSH key. PGP signing is broader: it works for git, for signed release tarballs and package artifacts, for email correspondence with maintainers, and for non-GitHub forges that don't support SSH signing. If you only care about GitHub commits, SSH is fine. If you also sign releases, encrypt mail, or want one identity across multiple systems, PGP earns its complexity.

Should I use a hardware key (YubiKey, smartcard)?

For high-value keys (release-signing identities, maintainers of critical software), yes — it eliminates "soft key on disk" as a threat. PGPony does not currently support YubiKey or smartcard signing; this is planned for v6.0. For now, use PGPony with a soft key for everyday signing and mobile decryption, or use hardware + desktop gpg for specific high-value operations. Both can coexist (separate keys for separate purposes).

Sign commits directly from PGPony on my phone?

No. Git lives on the desktop; commit signing is a git operation that calls out to gpg. PGPony is the secure custodian of the key — you import the key into desktop gpg, configure git to use it, and gpg handles the actual signing on the laptop.

What about CI / GitHub Actions release signing?

Use a separate signing subkey installed only on the CI runner. The CI never has the primary secret. If the CI is compromised, revoke the subkey without disturbing the primary identity.

Multiple identities (work, personal, open source)?

Separate keys for clearer compartmentalization, or one key with multiple User IDs for one fingerprint everywhere. PGPony handles multiple keys in the same keyring. Most developers find separate keys cleaner for the work/personal split.

Why "Unverified" even though my commit is signed?

Three common causes: git author email doesn't match a User ID on your PGP key (fix with git config --global user.email); public key isn't uploaded to the forge; or the signing key on the laptop doesn't match the uploaded public key. Verify with git log --show-signature locally first.

Related material.

Get PGPony

Free OpenPGP encryption for iOS and Android. No accounts, no tracking.

Download on the App Store Get it on Google Play