Signing Existing Commits with GPG

jmarhee profile image Joseph D. Marhee ・2 min read

Signing commits is a longstanding practice, especially around tags (releases) for your projects, however, sometimes this must be done retroactively, especially if you hadn't been signing your commits/releases previously and don't wish to cut a new release simply to append your signature.

Getting your gitconfig setup for GPG signed commits is pretty straight forward. Get your key fingerprint from the output of gpg -k and you'll see an output like this:

pub   rsa2048 2020-06-15 [SC] [expires: 2022-06-15]
uid           [ultimate] Joseph D. Marhee <email>
sub   rsa2048 2020-06-15 [E] [expires: 2022-06-15]

You'll then add it to your Git configuration so Git knows which key to sign your commits with:

git config --global user.signingkey <your Key ID>

and if you want to do this automatically on each commit, you'll also run:

git config commit.gpgsign true


export GPG_TTY=$(tty)

and you're ready to modify your commits.

You'll start an interactive rebase:

git rebase -i --root

scroll until you find your commit in the pick list, then modify the keyword pick to read edit:

edit <commit>

save, and then amend your commit to include the signature, and complete the rebase:

git commit -S --amend --no-edit 
git rebase --continue

and then push to your branch. One thing to keep in mind is that you sign using the same email address you're committing with (the one you provided when you generated your GPG key); this must match, for example, in order for sites like Github to mark the signature verified. You can update the commit (without updating your Git configuration default email address) using:

git commit --amend --author "Your Name <you@domain.com>"

or setting this in your config to persist this for future commits:

git config --global user.email "you@domain.com"

and push.

Posted on by:


Editor guide