PGP signature not counting as verified on GitHub or GitLab?


I have recently started using PGP to sign my git commits. However, although “git log --show-signatures” shows a good signature, both GitLab and GitHub show it as Unverified instead of verified. I have been trying to work out why, but I have not been able to find out. I have tried adding my no-reply github email as a uid, which didnt work, so then I made my email - which is the same as the one on the key - public, but that still didn’t work. Any ideas?


There’s a section in your profile settings where you can upload your public key. Same page as where you upload SSH keys on GitHub IIRC.

What do the services say when you click the “unverified”?

I think the solution is either:

  • uploading your public key like Jonah suggests.
  • adding UID to your key matching the email address you have in git config
  • adding the git config as your email address in account settings.
    • verifying that email address if you haven’t done that yet.

Thanks! My was outdated.