Configuration
Commit Signing
GPG commit signing for enhanced security and change verification
Flipt v2 supports GPG commit signing to provide cryptographic verification of configuration changes. This feature ensures the authenticity and integrity of your feature flag modifications, creating a verifiable audit trail for compliance and security purposes.
This functionality is only available in Flipt v2 Pro. Learn
more about our commercial license or purchase a
license.
Why Use Commit Signing?
GPG commit signing provides several important benefits:- Authenticity Verification: Prove who made configuration changes with cryptographic signatures
- Integrity Assurance: Detect if commits have been tampered with after creation
- Compliance Support: Meet regulatory requirements for change management and audit trails
- Trust Enhancement: Team members can verify the source of feature flag changes
- Non-repudiation: Prevent disputes about who made specific changes
How It Works
When commit signing is enabled, Flipt automatically signs all commits to your flag configuration repository with a GPG key. These signatures can be verified by Git hosting services like GitHub, GitLab, and others, displaying a “Verified” badge next to signed commits.Prerequisites
Before enabling commit signing, ensure you have:- Secrets Management Configured: GPG keys are stored securely using secrets management
- GPG Key Pair: A valid GPG private/public key pair for signing
- Flipt Pro License: Commit signing is a Pro feature
For step-by-step instructions on setting up commit signing with GitHub and
other Git providers, see the Commit Signing Setup
Guide.