GPG is an open-source cryptographic software application that implements the OpenPGP standard. With a GPG keypair, you can sign or encrypt text. Git allows you to sign your commits, so other collaborators can be assured it was you who created them.
Run this to generate a new key:
gpg --full-generate-key| Question | Answer |
|---|---|
| Key type | RSA and RSA |
| Key size | 4096 |
| Expiration | 0 (no expiration) or 1y if you prefer rotation |
| Real name | Huy Tran |
| Email address | Use your primary email (e.g., quochuytran@mail.com) |
| Comment | Leave blank or add (Git signing key) |
| Passphrase | Choose a strong one |
After generation, run:
gpg --list-secret-keys --keyid-format=longExample output:
sec rsa4096/AA11BB22CC33DD44 2025-10-29 [SC]
1234567890ABCDEF1234567890ABCDEF12345678
uid [ultimate] Huy Tran <quochuytran130804@gmail.com>
sub rsa4096/EE55FF66GG77HH88 2025-10-29 [E]
The important part is the key ID after rsa4096/, e.g.:
AA11BB22CC33DD44
We’ll use that next.
Configure Git globally:
git config --global user.name "Huy Tran"
git config --global user.email "quochuytran@mail.com"
git config --global user.signingkey AA11BB22CC33DD44
git config --global commit.gpgsign trueYou’ll need this for GitHub, Codeberg, etc.:
gpg --armor --export AA11BB22CC33DD44Copy the full block starting from:
-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----
And add to the desire platforms.
Make a signed commit in any repo:
git commit -S -m "Test GPG signing"
git log --show-signature -1
gpg: Good signature from "Huy Tran <quochuytran@mail.com>"And GitHub/Codeberg should show your commits as Verified.
I was trying to tell my local git configuration to use a key pair per platform but I failed