What is git commit signing with GPG or SSH?
Why Interviewers Ask This
Interviewers ask this to evaluate whether you have the depth of knowledge needed to mentor others and lead technical decisions. The expected answer goes beyond definitions into practical implications and real-world consequences.
Answer
Commit signing cryptographically proves that a commit was authored by a specific person with possession of a private key. Without signing, anyone who knows your email can create commits that appear to be from you (trivially done with git config user.email). GPG signing: (1) Generate GPG key: gpg --full-generate-key; (2) Get key ID: gpg --list-secret-keys --keyid-format=long; (3) Configure Git: git config --global user.signingkey KEY_ID; git config --global commit.gpgsign true; (4) Add public key to GitHub (Settings → SSH and GPG keys → New GPG key); (5) Commits show "Verified" badge on GitHub. SSH signing (simpler, modern approach): (1) Configure: git config --global gpg.format ssh; git config --global user.signingkey ~/.ssh/id_ed25519.pub; (2) Add SSH key to GitHub as "Signing key" (separate from authentication key); (3) Commit: git commit -S -m "message" (or automatic with commit.gpgsign). Verify locally: git verify-commit abc1234. Sign tags: git tag -s v1.0 -m "release". Signing is important for audited environments, open-source release management, and proving supply chain integrity.
Common Mistake
Many candidates answer correctly but can't explain the 'why'. Always be prepared to justify your answer with a concrete example or use case from your Git & GitHub experience.
Previous
How does GitHub's pull request merge queue work?
Next
What is the difference between git fetch --prune and git remote prune?