Skill Detail

Sign agent-made Git commits with gitsign

Apply keyless Sigstore-backed signatures to Git commits so automated changes retain verifiable provenance.

Security & VerificationMulti-Framework

Security & Verification Multi-Framework Security Reviewed

⭐ 1.1k GitHub stars

INSTALL WITH ANY AGENT

npx skills add agentskillexchange/skills --skill sign-agent-made-git-commits-with-gitsign Copy

Works best when you want a reusable capability, not another fragile one-off prompt.

View source

At a glance

Tools required

git, gitsign

Install & setup

Install `gitsign`, configure Git to use it for commit signing, then create commits normally and verify the signatures in Git or your forge UI.

Author

Sigstore maintainers

Publisher

Organization

Last updated

Apr 17, 2026

Quick brief

Use this skill when an agent needs commit provenance, especially in repos where machine-made changes should still be attributable and verifiable. It fits workflows that want signed commits without managing long-lived GPG keys.

How it works

What this skill actually does

Invoke it instead of using gitsign as a raw product when the concrete job is to install the signing path, sign commits during normal Git work, and verify that the resulting signatures are present and usable in review or policy checks.

This stays skill-shaped because the scope is a specific operator workflow: sign and verify Git commits with keyless Sigstore identities. It is not a generic Sigstore or supply-chain product card.

Best fit

When to reach for it

Best when the job fits Security & Verification.
Works naturally with Multi-Framework setups.
Requires git, gitsign.
Installation is straightforward: Install `gitsign`, configure Git to use it for commit signing, then create commits normally and verify…

Trust & provenance

Why this listing is credible

Trust status: Security Reviewed.
1.1k GitHub stars on the linked upstream source.
Last updated Apr 17, 2026.

View source ↗