GitHub.com/ansible Now Requires Signed Commits: How to Configure GPG Signing
By Luca Berton · Published 2024-01-01 · Category: installation
The github.com/ansible organization now requires signed commits for all repositories. Learn how to configure GPG or SSH commit signing to continue contributing.
Introduction
The github.com/ansible organization has introduced a mandatory requirement for signed commits across all its repositories. This security enhancement ensures that all code contributions are cryptographically verified, confirming the identity of every contributor.
If you contribute to any Ansible project on GitHub — including ansible-core, collections, ansible-documentation, or AWX — you must now sign your commits.
See also: Git Large File Storage (LFS) Tutorial: Versioning Big Binaries with Ansible
Why Signed Commits
Signed commits provide:
- Identity verification — Confirms that commits genuinely come from the claimed author
- Tamper detection — Ensures code hasn't been modified after being committed
- Supply chain security — Protects the Ansible ecosystem from unauthorized code changes
- Compliance — Aligns with industry best practices for open-source security
How to Set Up GPG Commit Signing
Step 1: Generate a GPG Key
gpg --full-generate-keySelect:
- Key type: RSA and RSA
- Key size: 4096 bits
- Expiration: 1 year (recommended)
- Enter your name and email (must match your GitHub email)
Step 2: Get Your GPG Key ID
gpg --list-secret-keys --keyid-format=longOutput will show something like:
sec rsa4096/3AA5C34371567BD2 2026-03-28 [SC]The key ID is 3AA5C34371567BD2.
Step 3: Export and Add to GitHub
gpg --armor --export 3AA5C34371567BD2Copy the output (including -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK-----) and add it to GitHub → Settings → SSH and GPG keys → New GPG key.
Step 4: Configure Git to Sign Commits
git config --global user.signingkey 3AA5C34371567BD2
git config --global commit.gpgsign trueStep 5: Verify It Works
git commit --allow-empty -m "Test signed commit"
git log --show-signature -1You should see gpg: Good signature in the output.
See also: Pluralsight The IT Ops Sessions: Using Ansible Sign and Verify
Alternative: SSH Commit Signing
If you prefer SSH over GPG:
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign trueAdd your SSH public key to GitHub under Settings → SSH and GPG keys and select Signing Key as the key type.
Troubleshooting
"error: gpg failed to sign the data"
On macOS, you may need to install pinentry-mac:
brew install pinentry-mac
echo "pinentry-program $(which pinentry-mac)" >> ~/.gnupg/gpg-agent.conf
gpgconf --kill gpg-agentCommits Not Showing as Verified
Ensure the email in your GPG key matches the email configured in:
git config --global user.emailAnd that the same email is verified in your GitHub account settings.
See also: Pluralsight The IT Ops Sessions: Ansible Sign, Verify, Event-Driven and Ansible Generative AI
Impact on Ansible Contributors
- All pull requests to
github.com/ansiblerepositories must contain signed commits - Existing unsigned commits won't be retroactively blocked, but new contributions must be signed
- CI/CD bots also need to use signed commits — the
github-app-commit-actionis being evaluated as a solution for automated workflows (PR #3543 in ansible-documentation)
Links
Conclusion
Signed commits are now mandatory for contributing to the Ansible GitHub organization. Setting up GPG or SSH signing takes just a few minutes and significantly improves the security of the Ansible supply chain. Configure your signing key today so your contributions continue to be accepted.
Subscribe to the Ansible Pilot YouTube channel, the Ansible Pilot RSS feed, and follow on LinkedIn for more Ansible community updates.
Related Articles
Category: installation