Fixing “Merging is blocked: Commits must have verified signatures” in GitHub

JayRam NaiJayRam Nai
2 min read

Recently, while contributing to an open-source repository, I created a pull request and got this message on my pull request:

Merging is blocked: Commits must have verified signatures

This means the repository requires all commits to be GPG-signed and verified.

Here's a quick guide to fix this and sign your commits with a verified GPG key.

1. Generate a GPG Key

If you don’t already have one:

gpg --full-generate-key

Choose:

  • Key type: RSA and RSA

  • Key size: 4096

  • Set expiry and user info (name/email should match your GitHub email)

2. List and Get Your GPG Key ID

gpg --list-secret-keys --keyid-format LONG

Look for a line like:

sec rsa4096/3AA5C34371567BD2 2025-05-10

Your key ID is the part after the /, e.g., 3AA5C34371567BD2.

3. Export Your Public Key

gpg --armor --export 3AA5C34371567BD2

Copy the output.

4. Add GPG Key to GitHub

  • Go to GitHub > Settings > SSH and GPG Keys > New GPG key

  • Paste the exported key and save.

5. Tell Git to Use Your GPG Key

git config --global user.signingkey 3AA5C34371567BD2
git config --global commit.gpgsign true

Note: Don’t change the user.signingkey with your username, keep it as is.

Re-sign Existing Commits (Optional)

If you have already committed and want to re-sign:

git commit --amend --no-edit --gpg-sign

Then force push:

git push origin -f <your_branch_name>

All Set!

Your commits will now show up on GitHub as Verified. No more merge blocks!

Reference:

https://docs.github.com/en/authentication/managing-commit-signature-verification

1
Subscribe to my newsletter

Read articles from JayRam Nai directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#howtosGitHubGitSecuritygpgGPG keyLinux

Written by

JayRam Nai
JayRam Nai

Open edX expert and open-source enthusiast.