Signing commits
You can sign commits locally using GPG, SSH, or S/MIME.
Note
GitHub Desktop only supports commit signing if your Git client is configured to sign commits by default.
Tip
To configure your Git client to sign commits by default for a local repository, in Git versions 2.0.0 and above, rungit config commit.gpgsign true. To sign all commits by default in any local repository on your computer, rungit config --global commit.gpgsign true.
To store your GPG key passphrase so you don't have to enter it every time you sign a commit, we recommend using the following tools:
- For Mac users, theGPG Suite allows you to store your GPG key passphrase in the macOS Keychain.
- For Windows users, theGpg4win integrates with other Windows tools.
You can also manually configuregpg-agent to save your GPG key passphrase, but this doesn't integrate with macOS Keychain like ssh-agent and requires more setup.
If you have multiple keys or are attempting to sign commits or tags with a key that doesn't match your committer identity, you shouldtell Git about your signing key.
When committing changes in your local branch, add the -S flag to the git commit command:
$git commit -S -m"YOUR_COMMIT_MESSAGE"#Creates a signed commitIf you're using GPG, after you create your commit, provide the passphrase you set up when yougenerated your GPG key.
When you've finished creating commits locally, push them to your remote repository on GitHub:
$git push#Pushes yourlocal commits to the remote repositoryOn GitHub, navigate to your pull request.
On the pull request, click Commits.
To view more detailed information about the verified signature, clickVerified.
