Fixing “Merging is blocked: Commits must have verified signatures” in GitHub

Recently, while contributing to an open-source repository, I created a pull request and got this message on my pull request:

Merging is blocked: Commits must have verified signatures

This means the repository requires all commits to be GPG-signed and verified.

Here's a quick guide to fix this and sign your commits with a verified GPG key.

---

1. Generate a GPG Key

If you don’t already have one:

gpg --full-generate-key

Choose:

• Key type: RSA and RSA

• Key size: 4096

• Set expiry and user info (name/email should match your GitHub email)

2. List and Get Your GPG Key ID

gpg --list-secret-keys --keyid-format LONG

Look for a line like:

sec rsa4096/3AA5C34371567BD2 2025-05-10

Your key ID is the part after the /, e.g., 3AA5C34371567BD2.

3. Export Your Public Key

gpg --armor --export 3AA5C34371567BD2

Copy the output.

4. Add GPG Key to GitHub

• Go to GitHub > Settings > SSH and GPG Keys > New GPG key

• Paste the exported key and save.

5. Tell Git to Use Your GPG Key

git config --global user.signingkey 3AA5C34371567BD2
git config --global commit.gpgsign true

Note: Don’t change the user.signingkey with your username, keep it as is.

---

Re-sign Existing Commits (Optional)

If you have already committed and want to re-sign:

git commit --amend --no-edit --gpg-sign

Then force push:

git push origin -f <your_branch_name>

---

All Set!

Your commits will now show up on GitHub as Verified. No more merge blocks!

Reference:

https://docs.github.com/en/authentication/managing-commit-signature-verification