I wanted to sign my code.
You know the real deal - stamp on executables so Windows stops yelling at you.
Yeah, those cost money. Not happening here.
But verified commits? That green badge next to your commits? Free. And it tells people: “Yes, this really came from me.”
Good enough.
Here’s how I set it up on Windows and add the generated key to Codeberg.
What You Need
- Gpg4win - includes Kleopatra and GPG
- Git for Windows - you probably have this already
Step 1: Create Your GPG Key
Open Kleopatra from Start menu.
Click File > New OpenPGP Key Pair. Enter your name and email (same as Git). Check Protected the generated key with passphrase. Click Ok and set a password.
Done. Key lives on your machine. Don’t forget to make a backup copy: to do this, use the Backup secret keys from the context menu.
Step 2: Add Public Key to Codeberg
Export your key from Kleopatra (right-click > Export). Open the file, copy everything inside.
Go to Codeberg. Click your profile > Settings > SSH/GPG Keys. Under GPG Public Keys, paste your key and click Add Key.
Codeberg will ask you to verify the key. It gives you some text to sign.
Step 3: Verify Your Key (Important!)
On Windows, the terminal method can be messy. Use Kleopatra instead:
- Copy the verification text from Codeberg
- Open Kleopatra, go to Tools > Clipboard > OpenPGP-Sign
- Pick your key, click Next
- Enter your password to sign the clipboard
Here’s the trick: The signed result goes to your clipboard. Paste it into Notepad first.
You’ll see a block starting with -----BEGIN PGP SIGNATURE-----. Only copy this signature part - not the original text, not the instructions. Just the signature block from BEGIN to END.
Paste only that signature block back into Codeberg’s verification box.
Step 4: Configure Git
Now you need to tell Git which key to use. Open your global Git config (~/.gitconfig or git config --global --edit).
Add these lines:
[user]
name = Your Name
email = your.email@example.com
signingkey = F3A7B2C8D4E9F1A6
[gpg]
program = C:\\Program Files (x86)\\GnuPG\\bin\\gpg.exe
[commit]
gpgsign = true
How to find your signingkey: Open terminal and run:
gpg --list-secret-keys --keyid-format=long
You’ll see output like this:
sec rsa4096/F3A7B2C8D4E9F1A6 2026-03-14
uid Your Name <your.email@example.com>
The part after the slash (F3A7B2C8D4E9F1A6) is your 16-character key ID. Copy that into signingkey.
The gpg.program path points to your Gpg4win install. Double backslashes matter on Windows.
commit.gpgsign true signs every commit automatically.
What Happens Now
Every time you commit:
git add .
git commit -m "my signed commit"
A window asks for your GPG password. Enter it. Commit is signed.
On Codeberg, your commits now show a “Verified” badge.
That’s It
Setup takes five minutes. After that, you just type your password on each commit. The green badge appears automatically.
For a hobby project, it’s a nice touch. Shows you care about keeping things legit.