gpg signed git commits

To enable git to sign commits we must configure the key to be used for signing. This can be accomplished by editing ~/.gitconfig

[user]
         name = Matt Kowalczyk
         email = matt.kowalczyk@gmail.com
         signingkey = A53C8900B710D91F

Also, if you have both gpg and gpg2 installed on your system, you may need to force git to use a specific program to perform the signing. In my case, I needed to use gpg2 and this was accomplished by appending the below to ~/.gitconfig,

[gpg]
         program = gpg2

With these changes, we’re now able to sign commits and tags and also verify these signatures. For instance,

$ git add foo.txt
$ git commit -S -m "initial commit"
 [master (root-commit) 7f5db95] initial commit
  1 file changed, 1 insertion(+)
  create mode 100644 foo.txt
$ git log --show-signature
 commit 7f5db95d63f68813df4229835ca6b775dbe1b5ac
 gpg: Signature made Sat 08 Jun 2019 07:51:46 PM PDT using RSA key ID 951E6431
 gpg: Good signature from "Matt Kowalczyk matt.kowalczyk@gmail.com" [ultimate]
 Author: Matt Kowalczyk matt.kowalczyk@gmail.com
 Date:   Sat Jun 8 19:51:46 2019 -0700
 initial commit

Notice the use of --show-signature. The git-scm shows various other ways of useful git commands related to signing. For instance,

$ git merge --verify-signatures -S <BRANCH>
$ git rebase -S