Signed commits

When you add a cryptographic signature to your commit, you provide extra assurance that a commit originated from you, rather than an impersonator. If GitLab can verify a commit author’s identity with a public GPG key, the commit is marked Verified in the GitLab UI. You can then configure push rules for your project to reject individual commits not signed with GPG, or reject all commits from unverified users.

Sign commits with your:

Verify commits

You can review commits for a merge request, or for an entire project, to confirm they are signed:

  1. To review commits for a project:
    1. On the left sidebar, at the top, select Search GitLab () to find your project.
    2. Select Code > Commits.
  2. To review commits for a merge request:
    1. On the left sidebar, at the top, select Search GitLab () to find your project.
    2. On the left sidebar, select Merge requests, then select your merge request.
    3. Select Commits.
  3. Identify the commit you want to review. Signed commits show either a Verified or Unverified badge, depending on the verification status of the signature. Unsigned commits do not display a badge:

    Signed and unsigned commits

  4. To display the signature details for a commit, select Verified to see the fingerprint or key ID:

    Signed commit with verified signature

    Signed commit with unverified signature

You can also use the Commits API to check a commit’s signature.

Troubleshooting

Fix verification problems with signed commits

The verification process for commits signed with GPG keys or X.509 certificates can fail for multiple reasons:

ValueDescriptionPossible Fixes
UNVERIFIEDThe commit signature is not valid.Sign the commit with a valid signature.
SAME_USER_DIFFERENT_EMAILThe GPG key used to sign the commit does not contain the committer email, but does contain a different valid email for the committer.Amend the commit to use an email address that matches the GPG key, or update the GPG key to include the email address.
OTHER_USERThe signature and GPG key are valid, but the key belongs to a different user than the committer.Amend the commit to use the correct email address, or amend the commit to use a GPG key associated with your user.
UNVERIFIED_KEYThe key associated with the GPG signature has no verified email address associated with the committer.Add and verify the email to your GitLab profile, update the GPG key to include the email address, or amend the commit to use a different committer email address.
UNKNOWN_KEYThe GPG key associated with the GPG signature for this commit is unknown to GitLab. Add the GPG key to your GitLab profile.
MULTIPLE_SIGNATURESMultiple GPG or X.509 signatures have been found for the commit.Amend the commit to use only one GPG or X.509 signature.