If you’ve ever admired that shiny green “Verified” badge next to a commit on GitHub, you’re looking at a digitally signed commit. Traditionally, that meant diving into the somewhat messy world of GPG keys. But now, GitHub supports SSH-signed commits — and it's far simpler, faster, and works beautifully across Windows, macOS, and Linux.
In this article, I’ll show you how to set up SSH commit signing on any operating system so your GitHub commits are secure and proudly Verified. Let’s roll. 🔐🚀
🧠 Why Sign Your GitHub Commits?
Signed commits:
- Prove you actually made them (authenticity)
- Prevent impersonation and spoofing
- Show the ✅ Verified badge on GitHub
- Add trust, especially in open source or team environments
🔧 Prerequisites
Before you start, make sure you have:
- Git 2.34 or newer (check with
git --version) - A GitHub account
- Git set up on your machine
- SSH access (or willingness to generate an SSH key)
🔑 Step 1: Generate an SSH Key (If You Don’t Have One)
SSH keys are a pair: a private key (kept secret) and a public key (shared with GitHub).
Run the following in your terminal:
ssh-keygen -t ed25519 -C "[email protected]"-
Hit Enter to accept the default file location:
- macOS/Linux:
~/.ssh/id_ed25519 - Windows:
C:\Users\YourName\.ssh\id_ed25519
- macOS/Linux:
Set a passphrase if you want (recommended for security)
If you're asked whether to overwrite an existing key — be careful! It may already be in use for GitHub or another service.
🧷 Step 2: Add Your Public Key to GitHub
Now we give GitHub your public key so it can verify your commits.
🖥 Show your public key:
-
macOS/Linux:
cat ~/.ssh/id_ed25519.pub -
Windows (PowerShell):
type $env:USERPROFILE\.ssh\id_ed25519.pub
Copy the entire key that starts with ssh-ed25519.
🔗 Add the key to GitHub:
- Go to: https://github.com/settings/ssh
- Click New SSH key
-
Fill in:
- Title: Something like
GitHub Signing Key - Key type: Signing Key
- Key: Paste the key you copied
- Title: Something like
Click Add SSH key
⚙️ Step 3: Configure Git to Sign Commits with SSH
Now, configure Git to use SSH as the signing backend and point it to your private key.
🔧 Run the following:
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519
git config --global commit.gpgsign true🪟 For Windows (Git Bash or PowerShell):
git config --global user.signingkey "C:/Users/YourName/.ssh/id_ed25519"📌 Important: You must point to your private key, not the .pub file.
🧪 Step 4: Test It Out!
Let’s make a signed commit and push it.
git commit -m "This commit is SSH signed 🔐"
git pushThen, check the commit on GitHub. You should see:
✅ Verified
Signed with SSH
🎉 Boom! You’re now part of the Verified Club.
💡 Optional: Use ssh-agent to Avoid Passphrase Prompts
If your SSH key has a passphrase, Git may ask for it every time. To fix that:
🔁 On macOS or Linux:
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519🪟 On Windows (Git Bash):
eval $(ssh-agent -s)
ssh-add /c/Users/YourName/.ssh/id_ed25519If you get an error, ensure you're running Git Bash, not Command Prompt.
✅ Summary
By signing commits with SSH, you now:
- Avoid the complexity of GPG
- Get the Verified badge on GitHub
- Use one SSH key for both auth and signing
- Stay secure across Windows, macOS, and Linux
🧠 Bonus: Use Per-Repo Signing (Optional)
Don’t want to enable commit signing globally? You can set it per project:
cd your-repo
git config gpg.format ssh
git config user.signingkey ~/.ssh/id_ed25519
git config commit.gpgsign true🔐 Final Thoughts
SSH-signed commits are the future — cleaner, simpler, and just as secure. Whether you’re working solo, contributing to open source, or collaborating on a team, signing your commits builds trust and showcases your professionalism.
And hey, that green “Verified” badge? It looks good on you 😎
💬 Got Questions?
Drop a comment or connect with me on GitHub. I’d be happy to help you get Verified!