Skip to main content

Overview

Gitar GPG-signs all commits it pushes to your repositories, including fix requests, CI failure fixes, and other automated changes. This lets you verify that a commit genuinely came from Gitar and was not tampered with.

Gitar’s Public GPG Key

Use the following public key to verify commits signed by Gitar: 
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGmon8ABEACyVWcSnun7I/s2yIPUCoQabATGQG6HtrXb1j/P93MQ7mk2yw98
QC7l4VwjDz8ZLDbcshuHz94Mk3hrWVHaeur04LTJgqjJPn/x2ltqEZ++23EFO8xX
kT0D63kblAJTpjskY6TWGHLX4LRy9u/QZ8NcjPY0ubyE7dFzSyStAEelidXcNMAC
vAVoL02oAhv0+hGjF7wHjL/lnmU9OZtsFvz+CKnt3/MOiprLRF2kI8927dFeNv2Q
SaMI9SI2ThDkJnEIE7MxfznOH4s+rezi68fbLaWp7Ns2aQZfxqlAdyeuY2fbg2Nl
e/2Mb1nFq0Yi2adkMmDRxPnWbfoM8EDfvc7F4tAm9OU7Iiglxr6pLoyvIt7qa1cg
TVoe8h2oNJZaZ8+H/RPMVV/35jPluRvClE0vp0iFl3McCAwsnA8OoDgwevl00xlM
Yj0OGKVxywAGm8j7v/ToWhenUVCJsm1bY6ck7RWXJkchkfvvUEzkCjEFLHjuUSPg
kGQjYvmGmAFpDa5UEXTPMKbRv6zkb9/753oRRbOFQTpmW76u0FFdtazuJcjrNtg9
7nN8T1HyC3r5pmc4hpDlsShHNUW4yeQ6WFi6fIXMZxLjcM/bTvYngOZgKArUUJy1
RhhorlwgTa8/kvmkQVxx+WsQHSaxQb0awM+zpY+aH++p4rP2YO3cKgkLhQARAQAB
tBxHaXRhciBCb3QgPG5vcmVwbHlAZ2l0YXIuYWk+iQJRBBMBCAA7FiEEpDeIc15k
Fp/l3BQuqERFS2bzdC0FAmmon8ACGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcC
F4AACgkQqERFS2bzdC3hmQ/+OvrJeNHqtxGDFx+XPd3qMMcYJB2M1atdlNt9W+1D
fwPXX/ctFAOR5IJ5n0PFr3z4JtShjhc8eqAE8u7pz6rif5Xq13wDYYQ9zyzmJEMj
lxdIz1w57EXNXky0sMCA2zxfXlsmyQ7WyyJG2EsnVxMmKDELUKCsZa5kPe/aCDTU
U4bbpAhZr+5Nfbav8DuPuBbYfYTT/ZxVfVDeMSn5r15d6S7qGsJvI0LmeYo/mrTT
EHshyg+k89EYuwb+5VJH+Rwts7rsXqMvAfFDpJ7jmw/a1jraJ3kdQsN9cxUbbH9x
xZ0tKxVXPHFASVZ6FB4bLkcVJuufNjE7u2wlOTBDoar7FkSpBwSuYJdPW0mWR4Yy
QB/8LIDh54TZfBNwEBoYuqQIlOf6GwCCsFp+Wmtu9lMfNHg5JMEgGHlaTKI+oWjY
0hUGQjYHiBR0gq6YmF1cZyi3H4hz86fxFlDWXhADgPJaLpZD6mls8uVReP4Q+arV
hr6wa5OfnLhfbgmDB/TdSQiaiBj5ntwzE6BAw28fTop0T+s02hqdh3/0BIo9uK4U
QIbamg+BJDXGvBuhRlZu5JzYeJZ+CvkyLZIbtj6W09qsy7TNsLfyMB+TYAIE8EeK
h0n4J2AlWxExVkpsXwDVLTaxoY3AyXUAbgrodISoAV1jAcVpxBck8HagTMBMiYI1
zdQ=
=nCrT
-----END PGP PUBLIC KEY BLOCK-----
This key is also available on GitHub for automated retrieval.

Verifying Commits Locally

1. Import the key Save the public key above to a file (e.g. gitar.gpg) and import it: 
gpg --import gitar.gpg
2. Verify a commit 
git log --show-signature -1 <commit-sha>
A valid signature will show Good signature from "Gitar <...>" in the output.

Verified Badge on GitHub / GitLab

Once the hosting platform trusts Gitar’s signing key, commits pushed by Gitar display a Verified badge automatically.
  • GitHub — GitHub shows the badge once the GPG key is associated with the committer’s account. Gitar’s key is registered, so no action is needed on your part.
  • GitLab — GitLab similarly displays a Verified badge for commits signed with a GPG key linked to the committer. No additional setup is required.
If you do not see the Verified badge on a Gitar commit, confirm that the commit’s author email matches the email associated with Gitar’s GPG key.