Detailed Gitsign Usage
Signing a Commit
After installing Gitsign and configuring Git to use it as a signer application for your project (or globally), you can sign commits as usual with
git commit -s.
$ git commit -s --allow-empty --message="Signed commit" [main cb6eee1] Signed commit
This will redirect you through the Sigstore keyless flow to authenticate and sign the commit.
Commits can then be verified using
$ git --no-pager log --show-signature -1
commit 227e796042fdd170e58b7e3b7627a1badd320224 (HEAD -> main) searching tlog for commit: 227e796042fdd170e58b7e3b7627a1badd320224 tlog index: 2212633 smimesign: Signature made using certificate ID 0x815ada5516906a862af8f528d69d3c86e4774b4f | CN=sigstore,O=sigstore.dev smimesign: Good signature from "" ([email@example.com]) Author: Billy Lynch <firstname.lastname@example.org> Date: Mon May 2 16:51:44 2022 -0400 Signed commit
If there is a problem during signing, you may receive an error similar to the following:
error: gpg failed to sign the data fatal: failed to write commit object
Because of limitations with Git signing tools, Gitsign cannot write back to stderr. Instead, you can use the
GITSIGN_LOG environment variable to tee logs into a readable location for debugging.