git-verify-commit

Check commits for a GPG signature

$ git verify-commit [commit_hash1 optional_commit_hash2 ...]

$ git verify-commit [commit_hash1 optional_commit_hash2 ...] [[-v|--verbose]]

$ git verify-commit [commit_hash1 optional_commit_hash2 ...] --raw

git verify-commit [-v | --raw] <commit>...

-v, --verbose
    Print the contents of the signature and the verified data. This option provides more detailed information about the signature itself, including the signer's identity and key details.

--raw
    Print the raw GPG status output directly from the GPG program. This output is typically terse and machine-readable, useful for scripting or detailed debugging of GPG interactions.

<commit>...
    One or more commit-ish identifiers (e.g., commit SHA-1, branch name, tag name) whose GPG signatures are to be verified. The command will process each specified commit sequentially.

The git-verify-commit command is used to cryptographically verify the GPG (GNU Privacy Guard) signature of one or more Git commit objects. When a commit is signed using git commit -S, a GPG signature is embedded within the commit object. This command checks the validity of this signature using the GPG program installed on your system.

It validates whether the signature is intact, whether it corresponds to the commit's content, and whether it was made by a trusted key in your GPG keyring. This is crucial for establishing the authenticity and integrity of commits, especially in collaborative environments, ensuring that a commit truly came from the stated author and has not been tampered with since signing. The command relies on an external GPG program to perform the actual cryptographic verification.

Verification requires the GPG (or GnuPG) program to be installed and correctly configured on the system. The public key corresponding to the private key used to sign the commit must exist in your GPG keyring for the signature to be successfully verified as valid. If the key is not present, not trusted, or expired, the verification may fail or indicate an untrusted/invalid signature. Also, the command only verifies the signature of the commit object itself, not the content of the tree it points to.

The command exits with status 0 if all specified commits have valid GPG signatures and the verification process is successful. A non-zero exit status indicates a failure in verification (e.g., signature not found, invalid signature, or an underlying GPG error), signaling that the commit's authenticity or integrity could not be confirmed.

git-verify-commit has been an integral part of Git's cryptographic verification capabilities since early versions, reinforcing the project's commitment to ensuring the integrity and authenticity of commit history. It works in conjunction with GPG, building upon established public-key cryptography standards to provide a mechanism for establishing trust in signed commits within a distributed version control system.

git-commit(1), git-tag(1), git-log(1), gpg(1)