Install `gitsign` from the Sigstore releases and configure Git to use it: `git config --global gpg.x509.program gitsign` and `git config --global gpg.format x509`
Set `commit.gpgsign = true` in your global or repo-level Git config to auto-sign all commits
When committing, gitsign opens a browser OIDC flow to obtain a short-lived Fulcio certificate; complete the OAuth login to obtain the signing certificate
Verify a signed commit with `gitsign verify --certificate-identity-regexp '...' --certificate-oidc-issuer https://accounts.google.com HEAD`
Push to GitHub; the commit will display a verified badge if the identity matches the GitHub account's associated email
Known gotchas
Gitsign certificates are short-lived (10 minutes); if the CI job takes longer than 10 minutes before the commit is signed, the certificate will have expired — trigger signing early in the workflow
Interactive OIDC browser flows cannot run in headless CI; use the `SIGSTORE_ID_TOKEN` environment variable set from the GitHub Actions OIDC token for non-interactive signing
Git's `--show-signature` flag only works for PGP signatures; use `gitsign verify` or `cosign` directly to inspect gitsign-signed commits
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp