This error occurs when pushing to a GitHub branch that requires signed commits, but your commits are unsigned. You must configure GPG or SSH commit signing and re-sign your commits before pushing.
This error indicates that GitHub is rejecting your push because the target branch has branch protection rules requiring all commits to be cryptographically signed. GitHub supports this as a security measure to verify that commits genuinely come from the person they claim to be from. When branch protection is enabled with the "Require signed commits" option, every commit in your push must have a valid GPG or SSH signature that GitHub can verify. Unsigned commits, or commits signed with an unverified key, will be rejected with this GH006 error. This protection is commonly enabled on main/master branches in enterprise environments and open-source projects to prevent impersonation attacks where someone could forge commit author information.
First, verify whether you have any GPG keys available for signing:
gpg --list-secret-keys --keyid-format=longIf you see output with sec entries, you have keys available. Note the key ID after the algorithm (e.g., rsa4096/3AA5C34371567BD2 - the part after the slash is your key ID).
If no keys are listed, you'll need to generate one or use SSH signing instead.
If you don't have a GPG key, create one:
gpg --full-generate-keySelect the following options:
- Key type: RSA and RSA (default)
- Key size: 4096 bits (recommended)
- Expiration: Choose based on your security policy (1-2 years is common)
- Enter your name and the email address associated with your GitHub account
After generation, get your key ID:
gpg --list-secret-keys --keyid-format=longExport your public key:
gpg --armor --export YOUR_KEY_IDCopy the entire output including -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK-----.
Then add it to GitHub:
1. Go to GitHub.com → Settings → SSH and GPG keys
2. Click "New GPG key"
3. Paste your public key and save
Alternatively, use the GitHub CLI:
gpg --armor --export YOUR_KEY_ID | gh gpg-key add -Tell Git which key to use for signing:
git config --global user.signingkey YOUR_KEY_IDEnable automatic commit signing:
git config --global commit.gpgsign trueIf you're on macOS and using GPG Suite, you may need to set the GPG program:
git config --global gpg.program gpgOn some systems, you might need to specify the full path:
git config --global gpg.program $(which gpg)If you have unsigned commits that need to be pushed, you must re-sign them. For the most recent commit:
git commit --amend --no-edit -SFor multiple commits, use interactive rebase:
# Re-sign the last N commits
git rebase --exec 'git commit --amend --no-edit -S' HEAD~NReplace N with the number of commits to re-sign. For example, to re-sign the last 3 commits:
git rebase --exec 'git commit --amend --no-edit -S' HEAD~3Note: This rewrites commit history. If you've already shared these commits, you'll need to force push.
After re-signing, push your changes:
git pushIf you rebased and rewrote history, you may need to force push:
git push --force-with-leaseThe --force-with-lease flag is safer than --force as it prevents overwriting others' work.
If you prefer SSH keys over GPG, Git 2.34+ supports SSH signing:
# Configure SSH signing
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign trueAdd your SSH key to GitHub as a signing key:
1. Go to GitHub.com → Settings → SSH and GPG keys
2. Click "New SSH key"
3. Select "Signing Key" as the key type
4. Paste your public key
SSH signing is simpler to set up if you already use SSH for authentication.
Confirm that your commits are properly signed:
git log --show-signature -1You should see "Good signature" in the output. You can also check on GitHub - signed commits show a "Verified" badge next to them.
To verify all commits in a range:
git log --show-signature HEAD~5..HEADTroubleshooting GPG agent issues: If signing fails with "gpg failed to sign the data", the GPG agent might not be running or configured correctly:
# Restart the GPG agent
gpgconf --kill gpg-agent
gpg-agent --daemon
# For macOS with pinentry-mac
echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
gpgconf --kill gpg-agentUsing different keys for different repositories: You can configure signing on a per-repository basis:
cd your-repo
git config user.signingkey YOUR_WORK_KEY_ID
git config commit.gpgsign trueGitHub Actions and signed commits: If your CI needs to push signed commits, you can use a GPG key stored in secrets:
- name: Import GPG key
run: echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --import
- name: Configure signing
run: |
git config user.signingkey ${{ secrets.GPG_KEY_ID }}
git config commit.gpgsign trueVigilant mode: GitHub offers "vigilant mode" which shows unsigned commits as unverified, even on branches without protection rules. Enable it in Settings → SSH and GPG keys → Vigilant mode.
Key expiration: Monitor your key expiration dates. You can extend a key's expiration without generating a new one:
gpg --edit-key YOUR_KEY_ID
gpg> expire
# Follow prompts to set new expiration
gpg> saveThen re-upload the updated public key to GitHub.
kex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git