Sign Commits with GPG or SSH in GitKraken Desktop

Last updated: March 2026

Use this page to sign Git commits and tags in GitKraken Desktop with either GPG or SSH keys so hosting providers can verify your identity. It covers setup requirements, key generation, GitKraken configuration, verification behavior, and the extra Git Executable requirement for SSH-based signing.

Requirements and limits

• Scope: Commit and tag signing with GPG or SSH keys
• GPG requirement: Install GPG before configuring signing in GitKraken Desktop
• Restart requirement: Close and reopen GitKraken Desktop after installing GPG
• SSH signing requirement: Git Executable must be enabled
• SSH signing setup: Requires a .pub signing key and an allowed_signers file
• Host verification note: GitHub and GitLab support SSH-signed commit verification; Bitbucket does not
• Verification behavior: Signed commits show a badge in the Commit Panel with signature details on hover

Quick Start

To sign commits with GPG:

1. Install GPG for your operating system (Gpg4win on Windows, brew install gpg on macOS, or your Linux package manager).
2. Close and reopen GitKraken Desktop.
3. Go to Preferences > Commit Signing.
4. Select a Signing Key from the dropdown, or click Generate new GPG Key.
5. Set the GPG Program path if it is not auto-detected.
6. Enable Sign Commits by Default and/or Sign Tags by Default.
7. Copy your public key from Preferences > GPG and upload it to your hosting service (GitHub, GitLab, or Bitbucket).

To sign commits with SSH:

1. Generate an SSH key and enable the Git Executable under Preferences > Experimental.
2. Go to Preferences > Commit Signing, set the GPG Format to SSH, and select your .pub key file.
3. Create an allowed_signers file and select it in GitKraken Desktop.
4. Enable Sign Commits by Default.

Signed commits display a badge next to the SHA in the Commit Panel. Hover over it to view signature details.

What commit signing is

In Git, you may commit using any name and email address. However, Git supports signing commits and annotated tags using a GPG or SSH key pair.

By signing a commit, others with your public key can verify that the commit was created by you. Public keys can also be uploaded to remote hosting services like GitHub so commits appear as verified.

How to sign commits with GPG

GPG requirements

Before signing commits, install and configure GPG.

• Windows: Use Gpg4win and follow the installer.
• Mac: Use Homebrew:

  brew install gpg

• Linux: Use your package manager:
  • Debian/Ubuntu: apt install gnupg
  • Fedora: dnf install gnupg2
  • CentOS/RHEL: yum install gnupg2

More downloads at gnupg.org.

To verify installation:

gpg --version

How to generate a GPG key in GitKraken Desktop

Once GPG is installed:

1. Go to Preferences > Commit Signing.
2. Click Generate new GPG Key.
3. (Optional) Enter a passphrase before generating.

How to configure GPG in GitKraken Desktop

1. Navigate to Preferences > Commit Signing.
2. Set the Signing Key from the dropdown list. If it’s empty:
   • Configure the GPG Program path.
   • Restart GitKraken after installing GPG.
3. Specify the GPG Program location or use the Browse button if not auto-detected.

   which gpg # macOS/Linux
   where gpg # Windows

   

4. Enable Sign Commits by Default and/or Sign Tags by Default as needed.

How to verify signed commits

Signed commits show an icon next to the SHA in the Commit Panel.

Hover to view signature details:

Common GPG signature codes:

• GOODSIG: Valid signature.
• EXPSIG: Signature is expired.
• EXPKEYSIG: Signed with expired key.
• REVKEYSIG: Signed with revoked key.
• BADSIG: Signature not verified.
• ERRSIG: Unable to check signature (missing key or unsupported algorithm).

How to upload a GPG key to your hosting service

To display signed commits as verified:

• GitHub GPG setup
• GitLab GPG setup
• Bitbucket GPG setup

In GitKraken: Preferences > GPG → Copy GPG Public Key.

How to edit a GPG key

To add emails or renew a key:

1. List keys:

   gpg --list-secret-keys --keyid-format LONG

   

2. Edit:

   gpg --edit-key YOUR_KEY_ID

3. Use commands:
   • adduid: Add email
   • deluid: Remove email
   • trust: Update trust level
   • expire: Change expiration
   • save: Save and exit

GNU’s full GPG key guide

After editing, re-upload the key to your host. See Uploading Your GPG Key to a Remote Hosting Service.

How to delete a GPG key

To delete:

gpg --delete-secret-keys

Append your key ID or name.

How to sign commits with SSH

SSH signing is available through Git Executable.

SSH signing requirements

• macOS/Linux: Git and OpenSSH are usually preinstalled.

  git -v
  ssh -V

• Windows: Install Git Bash.

How to enable SSH signing

1. Create SSH key:

   ssh-keygen -t ed25519 -C "[email protected]"

   

2. Enable Git Executable:
   Go to Preferences > Experimental > Git Executable.

   

3. Set GPG Format to SSH:
   Preferences > Commit Signing > GPG Format → select SSH.

4. Select signing key:
   On Signing Key, browse to the .pub key.

5. Create allowed_signers file:

   touch ~/.ssh/allowed_signers
   echo "$(git config --get user.email) namespaces="git" $(cat ~/.ssh/YOUR_KEY.pub)" >> ~/.ssh/allowed_signers

   Select this file in GitKraken.

6. Enable Signing by Default:
   Preferences > Commit Signing → enable Sign Commits and/or Sign Tags.

7. Add SSH Key to Host:

   • GitHub SSH setup
   • GitLab SSH setup
   • ⚠️ Bitbucket does not support SSH-signed commit verification.