git-verify-commit

Check commits for a GPG signature

$ git verify-commit [commit_hash1 optional_commit_hash2 ...]

$ git verify-commit [commit_hash1 optional_commit_hash2 ...] [[-v|--verbose]]

$ git verify-commit [commit_hash1 optional_commit_hash2 ...] --raw

git verify-commit [--verbose] <commit>…

--verbose
    Display detailed GPG verification output to stdout.

<commit>…
    One or more commit objects (SHA-1 hash, tag, or ref) to verify.

git-verify-commit checks the cryptographic GPG signatures on specified Git commit objects to ensure authenticity and integrity. It uses the user's default GPG keyring to validate that the commit was created by the signed author and remains untampered.

This command is essential for secure workflows, such as those requiring signed commits in open-source projects or enterprises. It processes one or more commit references (hashes, tags, or branch names resolving to commits) provided as arguments.

If a commit lacks a signature, it reports "no signature"; invalid signatures trigger GPG error details. Successful verification confirms the signer, key ID, timestamp, and trust level.

With --verbose, full GPG output is displayed, aiding debugging. The command exits 0 on full success, 1 if any commit fails verification.

It complements signing via git commit --gpg-sign and integrates with Git's trust model, similar to git verify-tag. Requires GPG 1.4+ and configured keys for thorough checks.

Only verifies existing signatures; unsigned commits are flagged but not failed. Depends on user's GPG setup and key trust. Does not support custom keyrings or stdin input.

0 if all commits valid or unsigned; 1 if any invalid signature.

git verify-commit HEAD
gpg: Signature made ... good signature from ...

Introduced in Git 1.7.9 (February 2011) alongside enhanced GPG commit signing support, developed by Git maintainers including Linus Torvalds and peers to bolster repository integrity against tampering.

git-verify-tag(1), git-log(1), git-commit(1), gpg(1)