GPG and Git work together like a lock and a seal. Git tracks your code. GPG proves it was really you who wrote it. If you work on anything that matters—open source or private—you should sign every commit you make. It protects your integrity, keeps attackers from faking your code, and builds trust with your team.
Setting it up is simple, but the details matter. Install GPG on your system. Generate a new key. Use a strong passphrase. Add your public key to GitHub, GitLab, or any host you use. In Git, run:
git config --global user.signingkey YOUR_KEY_ID
git config --global commit.gpgsign true
Every commit after that is signed automatically. git log --show-signature will prove the signature is there.
GPG keys are not the same as SSH keys. SSH gives you access. GPG gives you identity. They serve different purposes, but both are critical for secure development. Rotate your keys over time. Revoke old ones. Publish updated keys where others can fetch them.
On teams, enforcing commit signing makes history trustworthy. You can enable “Require signed commits” in most repository settings. That turns signatures from a suggestion into a rule. When signatures are standard, you know every change came from a verified source.
If you want to push a signed commit to production instantly, you can see it happen with hoop.dev. Connect your repo, commit with a GPG signature, and watch it ship live in minutes. It’s the fastest way to prove your code is both real and ready.
Security is only as strong as your habits. Make signing commits one of them. Install GPG, link it to Git, and never ship unsigned code. The trust you protect will be your own.