Signing commits with GPG | Git & GitLab

Starting with Release 9.5 GitLab will allow users to sign commits via GPG. When browsing commits in GitLab you’ll see a badge titled “Verified” next to the commit message in case it is signed and you’ve added your public GPG key to GitLab. This brief tutorial will show you how to configure GitLab and your local environment for automatic signing of commits.

To get started you need to generate a keypair by following the steps provided by GPG:

gpg --full-generate-key

gpg --list-secret-keys --keyid-format SHORT

By adapting your .gitconfig file you will tell git to use the correct keypair and automatically sign new commits.

# Sign commits or tags without having to specify your key every time
git config --global user.signingkey <gpg-key-id>

# Auto-Sign commits
git config --global commit.gpgsign = true

Finally complete the steps provided in the official GitLab Help for adding the generated public key to you user profile. You can export your public key by executing the following command:

gpg --armor --export <gpg-key-id>

Published by

Matthias Wirtz

“First, solve the problem. Then, write the code.” - John Johnson