AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

GitHub.com/ansible Now Requires Signed Commits: How to Configure GPG Signing

By Luca Berton · Published 2024-01-01 · Category: installation

The github.com/ansible organization now requires signed commits for all repositories. Learn how to configure GPG or SSH commit signing to continue contributing.

Introduction

The github.com/ansible organization has introduced a mandatory requirement for signed commits across all its repositories. This security enhancement ensures that all code contributions are cryptographically verified, confirming the identity of every contributor.

If you contribute to any Ansible project on GitHub — including ansible-core, collections, ansible-documentation, or AWX — you must now sign your commits.

See also: Git Large File Storage (LFS) Tutorial: Versioning Big Binaries with Ansible

Why Signed Commits

Signed commits provide: • Identity verification — Confirms that commits genuinely come from the claimed author • Tamper detection — Ensures code hasn't been modified after being committed • Supply chain security — Protects the Ansible ecosystem from unauthorized code changes • Compliance — Aligns with industry best practices for open-source security

GitHub marks signed commits with a green Verified badge, making it easy to distinguish authenticated contributions.

How to Set Up GPG Commit Signing

Step 1: Generate a GPG Key

gpg --full-generate-key

Select: • Key type: RSA and RSA • Key size: 4096 bits • Expiration: 1 year (recommended) • Enter your name and email (must match your GitHub email)

Step 2: Get Your GPG Key ID

gpg --list-secret-keys --keyid-format=long

Output will show something like:

sec   rsa4096/3AA5C34371567BD2 2026-03-28 [SC]

The key ID is 3AA5C34371567BD2.

Step 3: Export and Add to GitHub

gpg --armor --export 3AA5C34371567BD2

Copy the output (including -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK-----) and add it to GitHub → Settings → SSH and GPG keys → New GPG key.

Step 4: Configure Git to Sign Commits

git config --global user.signingkey 3AA5C34371567BD2
git config --global commit.gpgsign true

Step 5: Verify It Works

git commit --allow-empty -m "Test signed commit"
git log --show-signature -1

You should see gpg: Good signature in the output.

See also: Pluralsight The IT Ops Sessions: Using Ansible Sign and Verify

Alternative: SSH Commit Signing

If you prefer SSH over GPG:

git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true

Add your SSH public key to GitHub under Settings → SSH and GPG keys and select Signing Key as the key type.

Troubleshooting

"error: gpg failed to sign the data"

On macOS, you may need to install pinentry-mac:

brew install pinentry-mac
echo "pinentry-program $(which pinentry-mac)" >> ~/.gnupg/gpg-agent.conf
gpgconf --kill gpg-agent

Commits Not Showing as Verified

Ensure the email in your GPG key matches the email configured in:

git config --global user.email

And that the same email is verified in your GitHub account settings.

See also: Pluralsight The IT Ops Sessions: Ansible Sign, Verify, Event-Driven and Ansible Generative AI

Impact on Ansible Contributors

All pull requests to github.com/ansible repositories must contain signed commits • Existing unsigned commits won't be retroactively blocked, but new contributions must be signed • CI/CD bots also need to use signed commits — the github-app-commit-action is being evaluated as a solution for automated workflows (PR #3543 in ansible-documentation)

Links

GitHub: Signing CommitsGit: Signing Your WorkAnsible Community Forum

Conclusion

Signed commits are now mandatory for contributing to the Ansible GitHub organization. Setting up GPG or SSH signing takes just a few minutes and significantly improves the security of the Ansible supply chain. Configure your signing key today so your contributions continue to be accepted.

Subscribe to the Ansible Pilot YouTube channel, the Ansible Pilot RSS feed, and follow on LinkedIn for more Ansible community updates.

Related Articles

AWX vs AAP at a glance

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home