Signing your git commits

Install GPG.

sudo apt-get update && sudo apt-get install gnupg -y

Generate a GPG key.

gpg --full-generate-key

The default prompts are probably sufficient, but going for more security (like 4096-bit security) probably won’t hurt. After you get through creating the key, it’ll automatically be imported into your trusted key list.

Next, get your GPG key fingerprint.

gpg --fingerprint YOUR_GPG_KEY_NAME

Next, go into your Git project directory and configure it with your name, email, and GPG signing key.

git config user.name YOUR_NAME
git config user.email YOUR_EMAIL
git config user.signingkey YOUR_GPG_KEY_FINGERPRINT

You can sign your commits by adding the -S flag.

git commit -S

Or you can configure your project to sign your commits by default:

git config commit.gpgsign true

You can also add the --global flag to your git config commands to set the configuration globally instead of for just one project.

git config --global commit.gpgsign true

References