Struggling with Git Commit Signing? Here’s What Fixed It for Me

If you've ever tried setting up commit signing with GPG on GitHub and ended up scratching your head, you're not alone. You follow the official docs, generate a key, link it to GitHub, and set it up in your local repo, but your commits still show as "unverified." That’s exactly what happened to me, and here’s how I finally got it working.

Generating Your GPG Key

The first step is generating the GPG key, which is usually pretty straightforward:

1. Generate the key:

   gpg --full-generate-key

1. Find your key ID:

   gpg --list-secret-keys --keyid-format LONG

1. Export the key:

   gpg --armor --export YOUR_KEY_ID > my-gpg-key.asc

1. Add the key to GitHub: Copy the output from the previous command and go to GitHub Settings > SSH and GPG keys > New GPG key. Paste it in there.

Once this is done, tell Git to use this key for signing commits:

git config --global user.signingkey YOUR_KEY_ID
git config --global commit.gpgSign true

That should take care of the basics. At this point, every commit you make should be signed with your GPG key.

But Is It Working? Check Your Repo’s Config

I thought I was all set until I started seeing "unverified" commits again. Here’s the thing: While you may have set the global config for commit signing, each repository has its own individual config. So, even if your global settings are correct, you still need to check the specific repo configuration.

Run the following to check if commit signing is enabled for your current repo:

git config commit.gpgSign

• If the output is true, you're good to go.
• If it’s false (or if there’s no output), you need to enable it with:

git config commit.gpgSign true

It’s a small step, but if it's not set, Git won’t sign your commits in that repo, even if you’ve got everything else configured correctly.

Don’t Want to Type Your Passphrase Everytime? Cache It!

If you’re signing commits frequently, typing your GPG passphrase every single time can get old. The good news is, you can cache the passphrase for a certain period, so you don’t have to re-enter it every time you make a commit.

To do this, add these lines to your ~/.gnupg/gpg-agent.conf file:

default-cache-ttl 600
max-cache-ttl 7200

This will cache your passphrase for 10 minutes, and the maximum cache time will be 2 hours. After that, GPG will ask you for your passphrase again.

GPG Not Working? Try Restarting the GPG Agent

Sometimes things can just break for no reason. You might notice that keys stop working, commits aren’t signed, or you see weird errors. When this happens, one thing that tends to help is restarting the GPG agent.

You can do that with:

gpgconf --kill gpg-agent

This command forces the GPG agent to restart the next time you use it. It’s a simple fix but can clear up a lot of problems when things go sideways.

Wrapping Up

Getting GPG commit signing set up on GitHub can be a bit of a pain, especially when things don’t work as expected. But once it’s up and running, it’s a great way to ensure the authenticity of your commits. Here’s a quick checklist to make sure everything’s working:

• Check your repo’s commit.gpgSign config: Make sure it’s set to true for your repo with git config commit.gpgSign.
• Cache your passphrase: Use gpg-agent to avoid entering your passphrase every time.
• Restart the GPG agent: If things go wrong, use gpgconf --kill gpg-agent to reset your keys.

If you’re still running into issues, or if you’ve got a better way of managing GPG with GitHub, leave a comment. I’d love to hear your thoughts!

Thanks for reading. May the code be with you!

My Social Links: LinkedIn | GitHub | 𝕏 (formerly Twitter) | Substack | Dev.to | Hashnode