[pgpony] $ download
// guide / sign-git-commits-pgp

How to sign Git commits with PGP.

Ten minutes to set up cryptographically-verified Git commits. The PGPony key on your phone becomes the source of truth; desktop gpg becomes a working copy; git uses gpg to sign each commit; GitHub (or GitLab, Bitbucket) shows the Verified badge.

~10 minutes Desktop required Git + GnuPG
// at a glance
  1. Export secret key from PGPony
  2. Import into desktop gpg
  3. Configure git signingkey and commit.gpgsign
  4. Match user.email to a key User ID
  5. Make a test signed commit
  6. Verify with git log --show-signature
  7. Upload public key to GitHub
Prerequisites
  • A PGP key in PGPony
  • A desktop computer with Git and GnuPG installed
  • (Optional) A GitHub / GitLab / Bitbucket account for the Verified badge
// step 01

Export your secret key from PGPony.

From the Keyring tab, tap your key to open its detail view. Tap Export Private Key — PGPony walks through a two-step confirmation and biometric re-auth, then writes the ASCII-armored .asc file. Transfer to your desktop via AirDrop, USB, or another encrypted channel — same procedure as the backup guide.

For dev-machine signing only, you don\'t need the primary secret key. If your PGP key has a dedicated signing subkey, exporting just that subkey\'s secret material narrows the blast radius. gpg --export-secret-subkeys is the desktop-side equivalent (after the full secret key is imported).

// step 02

Import into desktop GnuPG.

gpg --import your-key.asc
gpg --list-secret-keys --keyid-format=long

The output shows your key with the full fingerprint. Copy it — you\'ll use it in the next step. (The fingerprint is the 40-character string on the line below sec.)

// step 03

Configure git.

git config --global user.signingkey YOUR_FINGERPRINT_HERE
git config --global commit.gpgsign true
git config --global tag.gpgsign true

Now every commit and tag you create signs automatically.

Per-repo override Drop --global from any of these to set per-repo instead. Useful if you maintain multiple identities (work vs personal) and only want some repos signed with this key.
// step 04

Match git user.email to a key User ID.

Git\'s author email must match one of the email addresses bound to your PGP key for GitHub (and similar) to validate the signature against the key: 

git config --global user.email you@yourdomain.com

Mismatch shows "Unverified" on GitHub even if the signature math is valid.

// step 05

Make a test signed commit.

In any repo, make a small change and commit: 

cd ~/your-repo
echo "test" >> README.md
git add README.md
git commit -m "test signed commit"

gpg prompts for your passphrase (or uses the cached one if pinentry is configured). Once entered, git completes the commit with a PGP signature attached.

No pinentry prompt? On macOS, install pinentry-mac. On Linux, ensure gnupg2 and pinentry-gtk2 or pinentry-curses is installed and gpg-agent is running. Without pinentry, gpg can\'t prompt for the passphrase and signing fails silently.
// step 06

Verify locally.

git log --show-signature -1

Look for: 

gpg: Signature made [date]
gpg:                using EDDSA key YOUR_FINGERPRINT
gpg: Good signature from "You <you@yourdomain.com>" [ultimate]

"Good signature" with no warnings confirms local signing works. Any failure messages here point at config — usually the user.email mismatch or pinentry issue from earlier steps.

// step 07

Upload public key to GitHub.

Get your ASCII-armored public key for upload: 

gpg --armor --export YOUR_FINGERPRINT

Copy the entire output from -----BEGIN PGP PUBLIC KEY BLOCK----- through -----END PGP PUBLIC KEY BLOCK-----.

In GitHub, go to Settings → SSH and GPG keys → New GPG key. Paste the public key block. GitHub validates and adds it. Future signed commits from matching email get the Verified badge on the commit history.

GitLab: Preferences → GPG Keys. Bitbucket: Personal settings → GPG keys. Same flow.

Verify it worked.

  • git log --show-signature shows "Good signature" on recent commits.
  • Pushed commits show the Verified badge on GitHub / GitLab / Bitbucket.
  • The key shown as the signing key on the platform matches your PGPony fingerprint.

Common questions.

Why sign commits?

Without signing, Git\'s author field is metadata anyone can set with git commit --author. PGP signatures attest to authorship cryptographically. Matters for security-sensitive projects, open source maintainers, and commit provenance.

Why import to desktop gpg?

Git\'s commit-signing flow uses the gpg binary. Your dev workflow is on a desktop, so that\'s where gpg needs the secret key. PGPony is the source; desktop gpg becomes a working copy.

SSH signing as an alternative?

Git 2.34+ supports SSH key signing. Simpler if you only need the GitHub Verified badge and have an SSH key. PGP signing gives broader interop with non-GitHub tools.

Will GitHub recognize the signature?

Yes — when your PGP public key is uploaded to GitHub and the commit author email matches a User ID on the key. Mismatch shows Unverified even if signature math is valid.

Multiple machines?

Import the same key onto each. Same fingerprint everywhere. Or restrict signing to one machine to keep the secret material in narrower scope.

GitLab and Bitbucket?

Yes. Both support PGP-signed commits with verified status. Git config is the same; platform step is uploading the public key to each account.

Next steps.

Use

Verify a PGP signature
Distribute

Publish your public key
Distribute

Set up WKD for your domain
Hygiene

Back up your private key

Get PGPony

Free OpenPGP encryption for iOS and Android. No accounts, no tracking.

Download on the App Store
Get it on Google Play