Git commit signing proves that a commit was created by the person who holds a specific cryptographic key — preventing commit authorship spoofing (anyone can set user.email to impersonate a contributor). GitHub and GitLab display a “Verified” badge on signed commits, and with vigilant mode enabled, GitHub marks all unsigned commits as “Unverified” — providing a clear signal when a contributor’s commits are missing signatures.
Problem: Git commit signatures using GPG require key management, a running GPG agent, and complex setup on each machine — many WordPress developers skip signing entirely, leaving the commit history unverified.
Solution: Use SSH keys for commit signing — configure Git with git config gpg.format ssh and git config user.signingKey ~/.ssh/id_ed25519.pub. Sign all commits with git config commit.gpgSign true. On GitHub, enable Vigilant Mode to mark unsigned commits as unverified. Verify locally with git log --show-signature and define an allowed signers file with git config gpg.ssh.allowedSignersFile.
The commands below configure commit signing with an SSH key (simpler than GPG), enable automatic signing for all commits, set up vigilant mode on GitHub, and verify signatures on the command line.
# ── 1. Configure Git to sign commits with your SSH key ───────────────────
# (SSH signing requires Git 2.34+)
# Use your existing SSH public key
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub # or id_rsa.pub
# Sign all commits automatically (no -S flag needed)
git config --global commit.gpgsign true
git config --global tag.gpgsign true
# ── 2. Create a signed commit ────────────────────────────────────────────
git commit -m "feat: add block bindings source"
# Git signs automatically because commit.gpgsign = true
# Manual signing with -S flag (if auto-sign is off)
git commit -S -m "feat: signed commit"
# ── 3. Verify a commit signature locally ─────────────────────────────────
# Create an allowed_signers file so Git can verify SSH signatures
echo "your@email.com $(cat ~/.ssh/id_ed25519.pub)" > ~/.ssh/allowed_signers
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
git log --show-signature -1
# Output: Good "git" signature for your@email.com with ED25519 key SHA256:...
git verify-commit HEAD # exit code 0 = valid signature
# ── 4. Verify all commits in a branch are signed ─────────────────────────
git log --show-signature main | grep -E 'Good|BAD|NO_PUBKEY'
# ── 5. Add the SSH public key as a signing key on GitHub ─────────────────
# GitHub → Settings → SSH and GPG keys → New SSH key
# Key type: "Signing Key" (separate from authentication key)
# Paste the PUBLIC key (id_ed25519.pub)
# ── 6. Enable vigilant mode on GitHub ────────────────────────────────────
# GitHub → Settings → SSH and GPG keys → Vigilant mode → Enable
# All unsigned commits will now show "Unverified" badge
# ── 7. CI: fail if any commit in the PR is unsigned ──────────────────────
# .github/workflows/verify-signatures.yml
# - name: Verify commit signatures
# run: |
# git log --show-signature origin/main..HEAD \
# | grep -q 'Good "git" signature' \
# || (echo "Unsigned commit detected" && exit 1)
NOTE: SSH signing keys on GitHub are separate from SSH authentication keys — you must add the key twice: once as an "Authentication Key" (for git push) and once as a "Signing Key" (for commit verification); using the same physical key for both is fine but requires two separate entries in GitHub's SSH key settings.