Re-sign commits on a branch with your GPG or SSH key. Built for stamping PRs created by AI coding agents.
AI coding agents, including Claude, Cursor, ChatGPT Codex, Gemini, Github Copilot do not support signing git commits as of today (Feb 23, 2026). When AI Agents create pull requests, every commit shows up as "Unverified", and there is no way to supply a GPG or SSH key to sign the agent's PR. If you are trying to ensure commit signing on your organization without affecting developer experience, you'll hit a blocker.
git-sign fixes this. Point it at a PR and it squashes the commits into a single signed commit:
It works with GPG and SSH signing. Whatever you have configured in git config, git-sign uses it.
- Squashes all branch commits into a single signed commit.
- Auto-detects the base branch from the remote HEAD.
- Refuses to run on main/master to prevent accidental history rewrites.
- Opens your editor for the commit message, or pass
-mto set it inline. --dry-runto preview what would happen.--force-pushto push after signing without a separate command.--yesto skip the confirmation prompt (useful in scripts).--baseto specify a custom base branch.--prto sign a GitHub PR by number or URL without cloning manually (requiresghCLI).--mergeto merge the PR after signing (used with--pr).- No dependencies beyond Python 3.7+ and git (
ghCLI required only for--pr).
From PyPI:
pip install git-signFrom source:
git clone https://github.com/mazen160/git-sign.git
cd git-sign
pip install .Or just run the script directly:
python git-sign.pySquash and sign all commits on the current branch (opens editor for commit message):
git-signWith an inline commit message:
git-sign -m "Add user authentication"Skip the confirmation prompt:
git-sign --yesSign and force push in one step:
git-sign --yes --force-push -m "Add user authentication"Preview without making changes:
git-sign --dry-runUse a specific base branch:
git-sign --base developSign a PR directly by number (when inside the repo):
git-sign --pr 42Or by full URL (works from any directory):
git-sign --pr https://github.com/owner/repo/pull/42Sign and merge in one command:
git-sign --pr https://github.com/owner/repo/pull/42 --merge -y -m "Add user authentication"Preview without making changes:
git-sign --pr 42 --dry-runThe PR workflow:
- Resolves the PR's source branch, base branch, and repo via
gh pr view. - Shallow-clones the repo into a temp directory.
- Squashes and signs the commits on the PR branch.
- Force-pushes the signed branch back.
- Optionally merges the PR (with
--merge). - Cleans up the temp directory.
This requires the GitHub CLI (gh) installed and authenticated (gh auth login).
git-sign diffs your branch against the remote base, resets to the base, applies the diff, and commits everything as a single signed commit:
git diff --binary origin/main feature-branch > /tmp/patch
git reset --hard origin/main
git apply /tmp/patch
git add .
git commit -SAll your changes end up in one signed commit. You force push the branch, and the PR shows as verified.
This squashes history on purpose. AI agents tend to produce noisy commit logs ("fix lint", "update test", "try again"). One clean signed commit is better.
When using --pr, this same process runs inside a temporary clone -- you don't need to be in the repo or on the right branch.
- Python 3.7+
- Git
- GitHub CLI (
gh) — only needed for--prworkflow - A signing key configured in git:
# GPG git config user.signingkey <your-gpg-key-id> # SSH git config gpg.format ssh git config user.signingkey ~/.ssh/id_ed25519.pub
Contributions are welcome. Report issues and open pull requests on GitHub.
MIT License. See LICENSE.
Mazin Ahmed
- Website: https://mazinahmed.net
- Email:
mazin [at] mazinahmed [dot] net - Twitter: https://twitter.com/mazen160
- Linkedin: http://linkedin.com/in/infosecmazinahmed