What is git commit signing with GPG or SSH?

Answer

Commit signing cryptographically proves that a commit was authored by a specific person with possession of a private key. Without signing, anyone who knows your email can create commits that appear to be from you (trivially done with git config user.email). GPG signing: (1) Generate GPG key: gpg --full-generate-key; (2) Get key ID: gpg --list-secret-keys --keyid-format=long; (3) Configure Git: git config --global user.signingkey KEY_ID; git config --global commit.gpgsign true; (4) Add public key to GitHub (Settings → SSH and GPG keys → New GPG key); (5) Commits show "Verified" badge on GitHub. SSH signing (simpler, modern approach): (1) Configure: git config --global gpg.format ssh; git config --global user.signingkey ~/.ssh/id_ed25519.pub; (2) Add SSH key to GitHub as "Signing key" (separate from authentication key); (3) Commit: git commit -S -m "message" (or automatic with commit.gpgsign). Verify locally: git verify-commit abc1234. Sign tags: git tag -s v1.0 -m "release". Signing is important for audited environments, open-source release management, and proving supply chain integrity.