What should I do if GitHub shows my commit signature as unverified?
An unverified commit signature means your GPG key isn't properly linked to GitHub. Verify your GPG setup, or upload the correct key in GitHub settings.
An unverified commit signature on GitHub suggests that the GPG key used to sign the commit is not linked or verified with your GitHub account. GitHub recognizes signed commits by associating them with your uploaded GPG or SSH keys, so if the key isn’t connected or verified, the commit appears as 'Unverified.' First, ensure that the GPG key in use matches the one registered with GitHub. You can check this by running gpg --list-secret-keys --keyid-format LONG
in your terminal to display your keys, noting the key ID associated with your commits. Then, log into GitHub and navigate to Settings > SSH and GPG keys, where you can upload your GPG public key if not already added. To sign future commits automatically, configure Git to use this GPG key by running git config --global user.signingkey <keyID>
. After configuring these settings, future commits should display as 'Verified' on GitHub.