Skip to main content
Git uses cryptographic signatures in various places, including objects (tags, commits, mergetags) and transactions (pushes). The command creating an object or transaction determines a payload, calls an external program to obtain a detached signature, and embeds the signature into the object or transaction.

Signature Types

Signatures begin with an “ASCII Armor” header line and end with a tail line, which differ depending on signature type as selected by gpg.format:

PGP

Format: gpg
  • Begin: -----BEGIN PGP SIGNATURE-----
  • End: -----END PGP SIGNATURE-----
  • RFC1991: Uses PGP MESSAGE instead

SSH

Format: ssh
  • Begin: -----BEGIN SSH SIGNATURE-----
  • End: -----END SSH SIGNATURE-----

X.509

Format: x509
  • Begin: -----BEGIN SIGNED MESSAGE-----
  • End: -----END SIGNED MESSAGE-----

Signature Embedding

Signatures can appear in two forms:
  1. Normal payload: Signature block appended after the payload (e.g., signed tags)
  2. Object header: Signature in the value of an object header (e.g., mergetag header in merge commits)
When signatures appear in object headers, the multi-line formatting rule applies: second and subsequent lines are prefixed with a space (SP) to signal line continuation.

Tag Signatures

1

Create

Use git tag -s to create a signed tag
2

Payload

The payload is the annotated tag object
3

Embedding

The signature is appended to the unsigned tag object

Example

object 04b871796dc0420f8e7561a895b52484b701d51a
type commit
tag signedtag
tagger C O Mitter <committer@example.com> 1465981006 +0000

signed tag

signed tag message body
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAABAgAGBQJXYRhOAAoJEGEJLoW3InGJklkIAIcnhL7RwEb/+QeX9enkXhxn
rxfdqrvWd1K80sl2TOt8Bg/NYwrUBw/RWJ+sg/hhHp4WtvE1HDGHlkEz3y11Lkuh
8tSxS3qKTxXUGozyPGuE90sJfExhZlW4knIQ1wt/yWqM+33E9pN4hzPqLwyrdods
q8FWEqPPUbSJXoMbRPw04S5jrLtZSsUWbRYjmJCHzlhSfFWW4eFd37uquIaLUBS0
rkC3Jrx7420jkIpgFcTI2s60uhSQLzgcCwdA2ukSYIRnjg/zDkj8+3h/GaROJ72x
lZyI6HWixKJkWw8lE9aAOD9TmTW9sFJwcVAzmAuFX2kUreDUKMZduGcoRYGpD7E=
=jpXa
-----END PGP SIGNATURE-----

Verification

Verify with git verify-tag [-v] or git tag -v: 
git verify-tag signedtag

Commit Signatures

1

Create

Use git commit -S to create a signed commit
2

Payload

The payload is the commit object
3

Embedding

Signature stored in gpgsig header (content preceded by a space)

Example

tree eebfed94e75e7760540d1485c740902590a00332
parent 04b871796dc0420f8e7561a895b52484b701d51a
author A U Thor <author@example.com> 1465981137 +0000
committer C O Mitter <committer@example.com> 1465981137 +0000
gpgsig -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJXYRjRAAoJEGEJLoW3InGJ3IwIAIY4SA6GxY3BjL60YyvsJPh/
 HRCJwH+w7wt3Yc/9/bW2F+gF72kdHOOs2jfv+OZhq0q4OAN6fvVSczISY/82LpS7
 DVdMQj2/YcHDT4xrDNBnXnviDO9G7am/9OE77kEbXrp7QPxvhjkicHNwy2rEflAA
 zn075rtEERDHr8nRYiDh8eVrefSO7D+bdQ7gv+7GsYMsd2auJWi1dHOSfTr9HIF4
 HJhWXT9d2f8W+diRYXGh4X0wYiGg6na/soXc+vdtDYBzIxanRqjg8jCAeo1eOTk1
 EdTwhcTZlI0x5pvJ3H0+4hA2jtldVtmPM4OTB0cTrEWBad7XV6YgiyuII73Ve3I=
 =jKHM
 -----END PGP SIGNATURE-----

signed commit

signed commit message body
Notice that each line of the signature in the gpgsig header is prefixed with a space character.

Verification

Verify with git verify-commit [-v] or git show --show-signature: 
git verify-commit HEAD
git show --show-signature

Mergetag Signatures

1

Create

Created automatically by git merge when merging a signed tag
2

Payload

The entire signed tag object
3

Embedding

Embedded into the merge commit as a mergetag header entry

Example

tree c7b1cff039a93f3600a1d18b82d26688668c7dea
parent c33429be94b5f2d3ee9b0adad223f877f174b05d
parent 04b871796dc0420f8e7561a895b52484b701d51a
author A U Thor <author@example.com> 1465982009 +0000
committer C O Mitter <committer@example.com> 1465982009 +0000
mergetag object 04b871796dc0420f8e7561a895b52484b701d51a
 type commit
 tag signedtag
 tagger C O Mitter <committer@example.com> 1465981006 +0000
 
 signed tag
 
 signed tag message body
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 ...
 -----END PGP SIGNATURE-----

Merge tag 'signedtag' into downstream

Verification

Verification is embedded in the merge commit message by default, or use git show --show-signature: 
git show --show-signature <merge-commit>
The mergetag header preserves the complete signed tag object, including all signature verification information, making it possible to verify the tag signature even after the merge.