larsks larsks - 1 year ago 82
Git Question

Verifying signed git commits?

With newer versions of

it's possible to sign individual commits (in addition to tags) with a PGP key:

git commit -m "some message" -S

And you can show these signatures in the output of
git log
with the

$ git log --show-signature
commit 93bd0a7529ef347f8dbca7efde43f7e99ab89515
gpg: Signature made Fri 28 Jun 2013 02:28:41 PM EDT using RSA key ID AC1964A8
gpg: Good signature from "Lars Kellogg-Stedman <>"
Author: Lars Kellogg-Stedman <>
Date: Fri Jun 28 14:28:41 2013 -0400

this is a test

But is there a way to programatically verify the signature on a given commit other than by grepping the output of
git log
? I'm looking for the commit equivalent of
git tag -v
-- something that will provide an exit code indicating whether or not there was a valid signature on a given commit.

Answer Source

Just in case someone comes to this page through a search engine, like I did: New tools have been made available in the two years since the question was posted: There are now git commands for this task: git verify-commit and git verify-tag can be used to verify commits and tags, respectively.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download