How do I sign and annotate a tag in git?
In Git, tags can be either lightweight or annotatedβand only annotated tags can be signed or include metadata like a message.
Hereβs how to create, sign, and annotate tags step by step π
π·οΈ 1. Create an annotated tag
Annotated tags include a message, author, and date.
git tag -a v1.0.0 -m "Release version 1.0.0"π This creates a tag named v1.0.0 with a message.
You can also tag a specific commit:
git tag -a v1.0.0 <commit-hash> -m "Release version 1.0.0"βοΈ 2. Create a signed tag (GPG)
To sign a tag, you need a GPG key set up in Git.
First, make sure Git knows your signing key:
git config --global user.signingkey <your-gpg-key-id>Then create a signed tag:
git tag -s v1.0.0 -m "Signed release v1.0.0"π -s = sign with GPG
π 3. Verify a signed tag
To check if a tag is valid and signed:
git tag -v v1.0.0π€ 4. Push tags to remote
Tags are not pushed automatically.
Push a single tag:
git push origin v1.0.0Push all tags:
git push --tagsπ 5. View tag details
To inspect an annotated tag:
git show v1.0.0β‘ Quick comparison
| Type | Command | Has message | Signed |
|---|---|---|---|
| Lightweight | git tag v1.0.0 |
β | β |
| Annotated | git tag -a ... |
β | β |
| Signed | git tag -s ... |
β | β |
π‘ Pro tips
- Use annotated tags for releases (best practice)
- Use signed tags for security-sensitive or public projects
- Combine flags if needed (
-salready implies annotated)
If you want, I can also show how to set up a GPG key from scratch or use SSH signing instead (newer Git feature).
WARNING: AI can and will make mistakes. It is the user's responsibility to not blindly copy and paste anything from
an AI engine into any production environment.
- β Previous
An orphan branch with worktree - Next β
The Lion King