Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/git/git/llms.txt

Use this file to discover all available pages before exploring further.

Git uses cryptographic signatures in various places, including objects (tags, commits, mergetags) and transactions (pushes). The command creating an object or transaction determines a payload, calls an external program to obtain a detached signature, and embeds the signature into the object or transaction.

Signature Types

Signatures begin with an “ASCII Armor” header line and end with a tail line, which differ depending on signature type as selected by gpg.format:

PGP

Format: gpg
  • Begin: -----BEGIN PGP SIGNATURE-----
  • End: -----END PGP SIGNATURE-----
  • RFC1991: Uses PGP MESSAGE instead

SSH

Format: ssh
  • Begin: -----BEGIN SSH SIGNATURE-----
  • End: -----END SSH SIGNATURE-----

X.509

Format: x509
  • Begin: -----BEGIN SIGNED MESSAGE-----
  • End: -----END SIGNED MESSAGE-----

Signature Embedding

Signatures can appear in two forms:
  1. Normal payload: Signature block appended after the payload (e.g., signed tags)
  2. Object header: Signature in the value of an object header (e.g., mergetag header in merge commits)
When signatures appear in object headers, the multi-line formatting rule applies: second and subsequent lines are prefixed with a space (SP) to signal line continuation.

Tag Signatures

1

Create

Use git tag -s to create a signed tag
2

Payload

The payload is the annotated tag object
3

Embedding

The signature is appended to the unsigned tag object

Example

object 04b871796dc0420f8e7561a895b52484b701d51a
type commit
tag signedtag
tagger C O Mitter <committer@example.com> 1465981006 +0000

signed tag

signed tag message body
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAABAgAGBQJXYRhOAAoJEGEJLoW3InGJklkIAIcnhL7RwEb/+QeX9enkXhxn
rxfdqrvWd1K80sl2TOt8Bg/NYwrUBw/RWJ+sg/hhHp4WtvE1HDGHlkEz3y11Lkuh
8tSxS3qKTxXUGozyPGuE90sJfExhZlW4knIQ1wt/yWqM+33E9pN4hzPqLwyrdods
q8FWEqPPUbSJXoMbRPw04S5jrLtZSsUWbRYjmJCHzlhSfFWW4eFd37uquIaLUBS0
rkC3Jrx7420jkIpgFcTI2s60uhSQLzgcCwdA2ukSYIRnjg/zDkj8+3h/GaROJ72x
lZyI6HWixKJkWw8lE9aAOD9TmTW9sFJwcVAzmAuFX2kUreDUKMZduGcoRYGpD7E=
=jpXa
-----END PGP SIGNATURE-----

Verification

Verify with git verify-tag [-v] or git tag -v: 
git verify-tag signedtag

Commit Signatures

1

Create

Use git commit -S to create a signed commit
2

Payload

The payload is the commit object
3

Embedding

Signature stored in gpgsig header (content preceded by a space)

Example

tree eebfed94e75e7760540d1485c740902590a00332
parent 04b871796dc0420f8e7561a895b52484b701d51a
author A U Thor <author@example.com> 1465981137 +0000
committer C O Mitter <committer@example.com> 1465981137 +0000
gpgsig -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJXYRjRAAoJEGEJLoW3InGJ3IwIAIY4SA6GxY3BjL60YyvsJPh/
 HRCJwH+w7wt3Yc/9/bW2F+gF72kdHOOs2jfv+OZhq0q4OAN6fvVSczISY/82LpS7
 DVdMQj2/YcHDT4xrDNBnXnviDO9G7am/9OE77kEbXrp7QPxvhjkicHNwy2rEflAA
 zn075rtEERDHr8nRYiDh8eVrefSO7D+bdQ7gv+7GsYMsd2auJWi1dHOSfTr9HIF4
 HJhWXT9d2f8W+diRYXGh4X0wYiGg6na/soXc+vdtDYBzIxanRqjg8jCAeo1eOTk1
 EdTwhcTZlI0x5pvJ3H0+4hA2jtldVtmPM4OTB0cTrEWBad7XV6YgiyuII73Ve3I=
 =jKHM
 -----END PGP SIGNATURE-----

signed commit

signed commit message body
Notice that each line of the signature in the gpgsig header is prefixed with a space character.

Verification

Verify with git verify-commit [-v] or git show --show-signature: 
git verify-commit HEAD
git show --show-signature

Mergetag Signatures

1

Create

Created automatically by git merge when merging a signed tag
2

Payload

The entire signed tag object
3

Embedding

Embedded into the merge commit as a mergetag header entry

Example

tree c7b1cff039a93f3600a1d18b82d26688668c7dea
parent c33429be94b5f2d3ee9b0adad223f877f174b05d
parent 04b871796dc0420f8e7561a895b52484b701d51a
author A U Thor <author@example.com> 1465982009 +0000
committer C O Mitter <committer@example.com> 1465982009 +0000
mergetag object 04b871796dc0420f8e7561a895b52484b701d51a
 type commit
 tag signedtag
 tagger C O Mitter <committer@example.com> 1465981006 +0000
 
 signed tag
 
 signed tag message body
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 ...
 -----END PGP SIGNATURE-----

Merge tag 'signedtag' into downstream

Verification

Verification is embedded in the merge commit message by default, or use git show --show-signature: 
git show --show-signature <merge-commit>
The mergetag header preserves the complete signed tag object, including all signature verification information, making it possible to verify the tag signature even after the merge.