The git verify-commit command checks the GPG signature of a commit. GPG (GNU Privacy Guard) is used for signing files and verifying their signatures, ensuring that your commits are secure and trusted.
Initial Example
The git verify-commit command checks the GPG signature of a specific commit to ensure its authenticity.
$ git verify-commit <commit>
VERIFY-COMMIT Options
| Option | Description |
|---|---|
--raw | Print the raw GPG status output to standard error instead of the normal human-readable output. This provides detailed information about the GPG verification process. |
-v, --verbose | Print the contents of the commit object before validating it. This option is useful for debugging and understanding what is being verified. |
<commit>…​ | SHA-1 identifiers of Git commit objects to be verified. This specifies the commits whose GPG signatures you want to check. |
Examples
1. Verifying a Commit
This example shows how to verify the GPG signature of a specific commit.
$ git verify-commit abc12345
2. Verifying Multiple Commits
This example demonstrates how to verify the GPG signatures of several commits at once.
$ git verify-commit abc12345 def67890 ghi11223
3. Handling Unverified Commits
If a commit’s GPG signature isn’t verified, you might need to import the committer’s GPG key or ensure the key is trusted.
$ gpg --receive-keys <key-id> $ gpg --edit-key <key-id> trust