Flipt v2 supports GPG commit signing to provide cryptographic verification of configuration changes. This feature ensures the authenticity and integrity of your feature flag modifications, creating a verifiable audit trail for compliance and security purposes.Documentation Index
Fetch the complete documentation index at: https://docs.flipt.io/llms.txt
Use this file to discover all available pages before exploring further.
Why Use Commit Signing?
GPG commit signing provides several important benefits:- Authenticity Verification: Prove who made configuration changes with cryptographic signatures
- Integrity Assurance: Detect if commits have been tampered with after creation
- Compliance Support: Meet regulatory requirements for change management and audit trails
- Trust Enhancement: Team members can verify the source of feature flag changes
- Non-repudiation: Prevent disputes about who made specific changes
How It Works
When commit signing is enabled, Flipt automatically signs all commits to your flag configuration repository with a GPG key. These signatures can be verified by Git hosting services like GitHub, GitLab, and others, displaying a “Verified” badge next to signed commits.Prerequisites
Before enabling commit signing, ensure you have:- Secrets Management Configured: GPG keys are stored securely using secrets management
- GPG Key Pair: A valid GPG private/public key pair for signing
- Flipt Pro License: Commit signing is a Pro feature
For step-by-step instructions on setting up commit signing with GitHub and
other Git providers, see the Commit Signing Setup
Guide.