Signing Commits

Creating a signed commit

New in v1.5.0: The key icon at the bottom of the Commit Dialog indicates whether your commit will be GPG-signed.

A green key means your commit will be signed.

A gray key means your commit will not be signed.

You can click the key icon to enable or disable signing for the commit you’re about to make.

../_images/keybutton.png

The signing key button in the Commit Dialog.

After making a signed commit, you should see a green seal icon next to your name in the Commit History.

What to do if signing isn’t available

Note

To be able to sign commits, you must first set up user.signingKey in your Git configuration. See Pro Git – Signing Your Work to get started.

  • Check that you’ve set user.signingKey in your Git configuration. This is required to specify what key to sign your commits with.

  • If you’ve set up your signing key and you want all commits to be signed, check that you’ve enabled commit.gpgSign in your Git configuration.

Verifying signed commits in the Commit History

New in v1.5.0: To enable automatic verification of signed commits in the Commit History, go to Settings Settings ‣ Commit History and tick Verify signed commits on the fly.

As commits scroll into view, GitFourchette will then call git verify-commit automatically to verify their signatures. The verification status is materialized by a seal icon next to the author’s name:

Verification pending

Verification failed (e.g. missing key)

Good signature; Key not fully trusted

Good signature; Key trusted

Key or signature expired

Key revoked or signature invalid

(No seal icon: Commit isn’t signed.)

Troubleshooting failed verifications (“question mark” seal icons)

Your GPG keychain must contain the signer’s public key to be able to verify their commits.

Frequently, verification will fail () because GPG can’t find the signer’s public key in your keychain. You can import their public key from a trusted source, then force GitFourchette to verify the commit again (right-click on the commit and select Verify Signature).

Tip

You can try gpg --search-keys to import a key from your keyserver. For example, the following command lets you import a key owned by GitHub that is commonly used to sign commits made with their web interface:

gpg --search-keys B5690EEEBB952194