Re-sign commits on a branch with your GPG/SSH key.
Project description
git-sign
Enforce Commit Signing for AI Agents
Re-sign commits on a branch with your GPG or SSH key. Built for stamping PRs created by AI coding agents.
Why?
AI coding agents, including Claude, Cursor, ChatGPT Codex, Gemini, Github Copilot do not support signing git commits as of today (Feb 23, 2026). When AI Agents create pull requests, every commit shows up as "Unverified", and there is no way to supply a GPG or SSH key to sign the agent's PR. If you are trying to ensure commit signing on your organization without affecting developer experience, you'll hit a blocker.
git-sign fixes this. Point it at a PR and it squashes the commits into a single signed commit:
It works with GPG and SSH signing. Whatever you have configured in git config, git-sign uses it.
Features
- Squashes all branch commits into a single signed commit.
- Auto-detects the base branch from the remote HEAD.
- Refuses to run on main/master to prevent accidental history rewrites.
- Opens your editor for the commit message, or pass
-mto set it inline. --dry-runto preview what would happen.--force-pushto push after signing without a separate command.--yesto skip the confirmation prompt (useful in scripts).--baseto specify a custom base branch.--prto sign a GitHub PR by number or URL without cloning manually (requiresghCLI).--mergeto merge the PR after signing (used with--pr).- No dependencies beyond Python 3.7+ and git (
ghCLI required only for--pr).
Installation
From PyPI:
pip install git-sign
From source:
git clone https://github.com/mazen160/git-sign.git
cd git-sign
pip install .
Or just run the script directly:
python git-sign.py
Usage
Squash and sign all commits on the current branch (opens editor for commit message):
git-sign
With an inline commit message:
git-sign -m "Add user authentication"
Skip the confirmation prompt:
git-sign --yes
Sign and force push in one step:
git-sign --yes --force-push -m "Add user authentication"
Preview without making changes:
git-sign --dry-run
Use a specific base branch:
git-sign --base develop
PR Workflow
Sign a PR directly by number (when inside the repo):
git-sign --pr 42
Or by full URL (works from any directory):
git-sign --pr https://github.com/owner/repo/pull/42
Sign and merge in one command:
git-sign --pr https://github.com/owner/repo/pull/42 --merge -y -m "Add user authentication"
Preview without making changes:
git-sign --pr 42 --dry-run
The PR workflow:
- Resolves the PR's source branch, base branch, and repo via
gh pr view. - Shallow-clones the repo into a temp directory.
- Squashes and signs the commits on the PR branch.
- Force-pushes the signed branch back.
- Optionally merges the PR (with
--merge). - Cleans up the temp directory.
This requires the GitHub CLI (gh) installed and authenticated (gh auth login).
How it works
git-sign diffs your branch against the remote base, resets to the base, applies the diff, and commits everything as a single signed commit:
git diff --binary origin/main feature-branch > /tmp/patch
git reset --hard origin/main
git apply /tmp/patch
git add .
git commit -S
All your changes end up in one signed commit. You force push the branch, and the PR shows as verified.
This squashes history on purpose. AI agents tend to produce noisy commit logs ("fix lint", "update test", "try again"). One clean signed commit is better.
When using --pr, this same process runs inside a temporary clone -- you don't need to be in the repo or on the right branch.
Requirements
- Python 3.7+
- Git
- GitHub CLI (
gh) — only needed for--prworkflow - A signing key configured in git:
# GPG git config user.signingkey <your-gpg-key-id> # SSH git config gpg.format ssh git config user.signingkey ~/.ssh/id_ed25519.pub
Contribution
Contributions are welcome. Report issues and open pull requests on GitHub.
License
MIT License. See LICENSE.
Author
Mazin Ahmed
- Website: https://mazinahmed.net
- Email:
mazin [at] mazinahmed [dot] net - Twitter: https://twitter.com/mazen160
- Linkedin: http://linkedin.com/in/infosecmazinahmed
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file git_sign-0.1.0.tar.gz.
File metadata
- Download URL: git_sign-0.1.0.tar.gz
- Upload date:
- Size: 7.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8a66e5485056a5b0bd8f46a9d7c3e932866b20861843a1e1936f2e10f89e1773
|
|
| MD5 |
9820bc7f7e67fe0ab3d024ee1cac7ddf
|
|
| BLAKE2b-256 |
3c00a57264e4039b8d3a659f31b68cd0f6f8313243b3da20f3b4edb4494c831b
|
File details
Details for the file git_sign-0.1.0-py3-none-any.whl.
File metadata
- Download URL: git_sign-0.1.0-py3-none-any.whl
- Upload date:
- Size: 8.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bea924e9f61fea082bd2e21f3df53d9cf23d81ae2c860d725e3774c251222951
|
|
| MD5 |
b405a7361f69ae387c833b93cbaa4368
|
|
| BLAKE2b-256 |
dfe495f1c80864cf878d61dda03ae9c47ebbafa632996c737b575628b810557f
|
