git verify-commit

Validates signed commits.

🎯 What & why

Verify the GPG or SSH signature attached to a commit. The cryptographic answer to 'did this person actually author this commit?'

🧠 Mental model

Git stores a detached signature in the commit object header; verify-commit re-runs the verifier (gpg or ssh-keygen) against your local trust database.

🛠️ Synopsis

git verify-commit [-v | --verbose] [--raw] <commit>...

Exits 0 if every signature is good, non-zero otherwise. Output goes to
stderr (the human-readable verifier message); stdout is reserved for
--verbose commit content. Honors gpg.program / gpg.ssh.allowedSignersFile.

🎚️ Switches & options

Flag	What it does
`-v / --verbose`	Print the commit content in addition to the signature status.
`--raw`	Emit the verifier's raw machine-readable status lines (GOODSIG, BADSIG, ERRSIG, EXPKEYSIG, REVKEYSIG, TRUST_*).
`<commit>...`	One or more commit-ish; verification fails as a whole if any one is bad.

💡 Use cases

Audit a release branch: ensure every merge commit was signed by a trusted maintainer.
CI gate that rejects unsigned or untrusted commits before deploy.
Forensic check after a suspected key compromise (look for EXPKEYSIG / REVKEYSIG).
Confirm what a hosting provider's 'Verified' badge actually means locally.

🧪 Examples

Verify HEAD

git verify-commit HEAD

Verbose with commit body

git verify-commit -v v2.4.0^{commit}

Machine-parseable output

git verify-commit --raw HEAD 2>&1 | grep -E '^\[GNUPG:\] (GOODSIG|BADSIG|ERRSIG)'

Verify a range in CI

git rev-list origin/main..HEAD | xargs git verify-commit

🎓 Recommendations

Set commit.gpgSign=true plus user.signingKey so signing is the default, not an afterthought.
Prefer gpg.format=ssh on modern setups; SSH keys are already in your agent and far less ceremony than GPG.
Parse --raw in scripts. The human text is not stable; the GNUPG status lines are.

🪤 Common pitfalls

A 'good' signature only proves the key signed it - trust still depends on your keyring or allowedSignersFile being curated.
GitHub/GitLab 'Verified' uses their key database, not yours; local verify-commit can disagree and both be technically correct.
Rebases and amends re-author commits and drop signatures unless you re-sign with -S.

🔗 Related modules

📝 Quiz

Hit each option, then Check answers. Score is recorded; Next is always open.