Tag Signing (GPG)

Concept

Signed tags let consumers verify a release came from someone with your private key.

One-time setup:

git config --global user.signingkey <key-id>
git config --global tag.gpgSign true

Create a signed tag:

git tag -s v1.0.0 -m "signed release"

Verify:

git tag -v v1.0.0

GitHub shows a "Verified" badge on signed tags & commits. For commits, use git commit -S or set commit.gpgSign.

SSH signing (newer, no GPG keyring) is also supported:

git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers

Challenge

Inspect a tag's signature (or just list tags)

WorkshopSimulated · no real damage

Terminal~/project·main

Idle

Working treemain

Not a git repository. git init to start.

Commit graph

main

Commits will appear here.

Each command rewrites this graph in real time.