Commit Signing

Commit signing allows GitHub to verify that a commit came from a trusted key associated with your account. GitHub supports GPG, SSH, and S/MIME signatures, but this page documents the GPG workflow used for local commits made from VS Code.

When to Use This

Use this process when:

• You want local commits pushed to GitHub to display a Verified badge
• You are committing from VS Code instead of using the GitHub web editor
• You are using GPG for commit signing

GitHub automatically signs commits created in the GitHub web interface. The steps below are for local commits created on your machine.

Prerequisites

Before enabling signed commits in VS Code, make sure you have:

• A verified email address on your GitHub account
• Git installed locally
• GPG installed locally
• A GPG key that matches the email address used for your Git commits

GPG does not come installed by default on macOS or Windows. To install GPG command line tools, see GnuPG’s Download page.

Setup Process

GitHub owns most of this workflow. Use the official GitHub documentation for the full procedural steps, and use this page as the high-level path plus the VS Code-specific configuration.

1. Prepare a GPG Key for GitHub

Use an existing GPG key or generate a new one, then confirm the key identity uses an email address that GitHub can verify.

Follow GitHub’s official documentation for:

• Checking for existing GPG keys
• Generating a new GPG key
• Associating an email with your GPG key

2. Add Your GPG Key to GitHub

After generating or locating your key, export the public key and add it to your GitHub account.

gpg --armor --export <GPG_KEY_ID>

Then, follow GitHub’s official instructions for adding a GPG key to your GitHub account.

GitHub can only verify your signatures after the matching public key has been added to your account.

3. Configure Git to Use Your Signing Key

Tell Git which GPG key to use and enable commit signing by default.

git config --global user.signingkey <GPG_KEY_ID>
git config --global commit.gpgsign true

Note

If you previously configured Git to use a different signing format, such as SSH or S/MIME, you may need to clear that setting before switching to GPG:

git config --global --unset gpg.format

For the full GitHub guidance, see telling Git about your signing key.

4. Enable Commit Signing in VS Code

Once Git and GitHub are configured, enable commit signing in VS Code by setting git.enableCommitSigning to true in your user settings.json.

settings.json

{
  "git.enableCommitSigning": true
}

This setting tells VS Code’s built-in Git integration to sign commits created from the editor. For more information, see how to configure user and workspace settings.

Verify the Setup

To verify that VS Code is signing commits correctly:

1. Make a small test change in your repository.
2. Create a commit from VS Code’s Source Control panel.
3. Push the commit to GitHub.
4. Open the commit or pull request in GitHub and confirm that the commit shows a Verified badge.

Note

You can also verify that Git and GPG signing are working locally from the command line:

git commit -S -m "test: verify commit signing"
git push

This confirms local signing is working, but it does not specifically validate the VS Code setting.

For the official GitHub verification flow, see:

• About commit signature verification
• Signing commits