diff --git a/doc/misc/npm-config.md b/doc/misc/npm-config.md
index 8d439331845e1..45aaf9be9df2c 100644
--- a/doc/misc/npm-config.md
+++ b/doc/misc/npm-config.md
@@ -1034,6 +1034,17 @@ will also prevent _writing_ `npm-shrinkwrap.json` if `save` is true.
 
 This option is an alias for `--package-lock`.
 
+### sign-git-commit
+
+* Default: false
+* Type: Boolean
+
+If set to true, then the `npm version` command will commit the new package
+version using `-S` to add a signature.
+
+Note that git requires you to have set up GPG keys in your git configs
+for this to work properly.
+
 ### sign-git-tag
 
 * Default: false
diff --git a/lib/config/defaults.js b/lib/config/defaults.js
index 5c324239f2adf..46eb6ca5116bf 100644
--- a/lib/config/defaults.js
+++ b/lib/config/defaults.js
@@ -220,6 +220,7 @@ Object.defineProperty(exports, 'defaults', {get: function () {
     'send-metrics': false,
     shell: osenv.shell(),
     shrinkwrap: true,
+    'sign-git-commit': false,
     'sign-git-tag': false,
     'sso-poll-frequency': 500,
     'sso-type': 'oauth',
@@ -352,6 +353,7 @@ exports.types = {
   'send-metrics': Boolean,
   shell: String,
   shrinkwrap: Boolean,
+  'sign-git-commit': Boolean,
   'sign-git-tag': Boolean,
   'sso-poll-frequency': Number,
   'sso-type': [null, 'oauth', 'saml'],
diff --git a/lib/version.js b/lib/version.js
index a8bc3123a9c80..248f2fa0a17ca 100644
--- a/lib/version.js
+++ b/lib/version.js
@@ -294,9 +294,10 @@ function buildCommitArgs (args) {
 function _commit (version, localData, cb) {
   const options = { env: process.env }
   const message = npm.config.get('message').replace(/%s/g, version)
-  const sign = npm.config.get('sign-git-tag')
-  const commitArgs = buildCommitArgs([ 'commit', '-m', message ])
-  const flagForTag = sign ? '-sm' : '-am'
+  const signTag = npm.config.get('sign-git-tag')
+  const signCommit = npm.config.get('sign-git-commit')
+  const commitArgs = buildCommitArgs([ 'commit', signCommit ? '-S -m' : '-m', message ])
+  const flagForTag = signTag ? '-sm' : '-am'
 
   stagePackageFiles(localData, options).then(() => {
     return git.exec(commitArgs, options)
diff --git a/test/tap/tag-version-prefix.js b/test/tap/tag-version-prefix.js
index 9035e9fbdd5a0..555de1af16518 100644
--- a/test/tap/tag-version-prefix.js
+++ b/test/tap/tag-version-prefix.js
@@ -16,7 +16,7 @@ var packagePath = path.resolve(pkg, 'package.json')
 
 var json = { name: 'blah', version: '0.1.2' }
 
-var configContents = 'sign-git-tag=false\nmessage=":bookmark: %s"\n'
+var configContents = 'sign-git-commit=false\nsign-git-tag=false\nmessage=":bookmark: %s"\n'
 
 test('npm version <semver> with message config', function (t) {
   setup()
diff --git a/test/tap/version-from-git.js b/test/tap/version-from-git.js
index 330b0604d8c47..1dc649beb4212 100644
--- a/test/tap/version-from-git.js
+++ b/test/tap/version-from-git.js
@@ -22,6 +22,7 @@ test('npm version from-git with a valid tag creates a new commit', function (t)
 
   function runVersion (er) {
     t.ifError(er, 'git tag ran without error')
+    npm.config.set('sign-git-commit', false)
     npm.config.set('sign-git-tag', false)
     npm.commands.version(['from-git'], checkVersion)
   }
@@ -51,6 +52,7 @@ test('npm version from-git with a valid tag updates the package.json version', f
 
   function runVersion (er) {
     t.ifError(er, 'git tag ran without error')
+    npm.config.set('sign-git-commit', false)
     npm.config.set('sign-git-tag', false)
     npm.commands.version(['from-git'], checkManifest)
   }
@@ -75,6 +77,7 @@ test('npm version from-git strips tag-version-prefix', function (t) {
 
   function runVersion (er) {
     t.ifError(er, 'git tag ran without error')
+    npm.config.set('sign-git-commit', false)
     npm.config.set('sign-git-tag', false)
     npm.config.set('tag-version-prefix', prefix)
     npm.commands.version(['from-git'], checkVersion)
@@ -107,6 +110,7 @@ test('npm version from-git only strips tag-version-prefix if it is a prefix', fu
 
   function runVersion (er) {
     t.ifError(er, 'git tag ran without error')
+    npm.config.set('sign-git-commit', false)
     npm.config.set('sign-git-tag', false)
     npm.config.set('tag-version-prefix', prefix)
     npm.commands.version(['from-git'], checkVersion)
@@ -137,6 +141,7 @@ test('npm version from-git with an existing version', function (t) {
 
   function runVersion (er) {
     t.ifError(er, 'git tag ran without error')
+    npm.config.set('sign-git-commit', false)
     npm.config.set('sign-git-tag', false)
     npm.commands.version(['from-git'], checkVersion)
   }
@@ -154,6 +159,7 @@ test('npm version from-git with an invalid version tag', function (t) {
 
   function runVersion (er) {
     t.ifError(er, 'git tag ran without error')
+    npm.config.set('sign-git-commit', false)
     npm.config.set('sign-git-tag', false)
     npm.commands.version(['from-git'], checkVersion)
   }
@@ -170,6 +176,7 @@ test('npm version from-git without any versions', function (t) {
 
   function runVersion (er) {
     t.ifError(er, 'created git repo without errors')
+    npm.config.set('sign-git-commit', false)
     npm.config.set('sign-git-tag', false)
     npm.commands.version(['from-git'], checkVersion)
   }
diff --git a/test/tap/version-git-not-clean.js b/test/tap/version-git-not-clean.js
index 22ffb7c987b09..43e2549ceb280 100644
--- a/test/tap/version-git-not-clean.js
+++ b/test/tap/version-git-not-clean.js
@@ -59,6 +59,7 @@ test('npm version <semver> --force with working directory not clean', function (
   common.npm(
     [
       '--force',
+      '--no-sign-git-commit',
       '--no-sign-git-tag',
       '--registry', common.registry,
       '--prefix', pkg,
diff --git a/test/tap/version-lifecycle.js b/test/tap/version-lifecycle.js
index 3b4fb50b24617..e7a7793b44507 100644
--- a/test/tap/version-lifecycle.js
+++ b/test/tap/version-lifecycle.js
@@ -11,7 +11,7 @@ var npm = require('../../')
 var pkg = path.resolve(__dirname, 'version-lifecycle')
 var cache = path.resolve(pkg, 'cache')
 var npmrc = path.resolve(pkg, './.npmrc')
-var configContents = 'sign-git-tag=false\n'
+var configContents = 'sign-git-commit=false\nsign-git-tag=false\n'
 
 test('npm version <semver> with failing preversion lifecycle script', function (t) {
   setup()
@@ -25,7 +25,12 @@ test('npm version <semver> with failing preversion lifecycle script', function (
     }
   }), 'utf8')
   fs.writeFileSync(path.resolve(pkg, 'fail.js'), 'process.exit(50)', 'utf8')
-  npm.load({cache: cache, 'sign-git-tag': false, registry: common.registry}, function () {
+  npm.load({
+    cache: cache,
+    'sign-git-commit': false,
+    'sign-git-tag': false,
+    registry: common.registry
+  }, function () {
     var version = require('../../lib/version')
     version(['patch'], function (err) {
       t.ok(err)
@@ -47,7 +52,12 @@ test('npm version <semver> with failing version lifecycle script', function (t)
     }
   }), 'utf8')
   fs.writeFileSync(path.resolve(pkg, 'fail.js'), 'process.exit(50)', 'utf8')
-  npm.load({cache: cache, 'sign-git-tag': false, registry: common.registry}, function () {
+  npm.load({
+    cache: cache,
+    'sign-git-commit': false,
+    'sign-git-tag': false,
+    registry: common.registry
+  }, function () {
     var version = require('../../lib/version')
     version(['patch'], function (err) {
       t.ok(err)
@@ -69,7 +79,12 @@ test('npm version <semver> with failing postversion lifecycle script', function
     }
   }), 'utf8')
   fs.writeFileSync(path.resolve(pkg, 'fail.js'), 'process.exit(50)', 'utf8')
-  npm.load({cache: cache, 'sign-git-tag': false, registry: common.registry}, function () {
+  npm.load({
+    cache: cache,
+    'sign-git-commit': false,
+    'sign-git-tag': false,
+    registry: common.registry
+  }, function () {
     var version = require('../../lib/version')
     version(['patch'], function (err) {
       t.ok(err)
@@ -95,7 +110,12 @@ test('npm version <semver> execution order', function (t) {
   makeScript('preversion')
   makeScript('version')
   makeScript('postversion')
-  npm.load({cache: cache, 'sign-git-tag': false, registry: common.registry}, function () {
+  npm.load({
+    cache: cache,
+    'sign-git-commit': false,
+    'sign-git-tag': false,
+    registry: common.registry
+  }, function () {
     common.makeGitRepo({path: pkg}, function (err, git) {
       t.ifError(err, 'git bootstrap ran without error')
 
diff --git a/test/tap/version-message-config.js b/test/tap/version-message-config.js
index fca0d5d9af80d..12cb6eb59912d 100644
--- a/test/tap/version-message-config.js
+++ b/test/tap/version-message-config.js
@@ -16,7 +16,7 @@ var packagePath = path.resolve(pkg, 'package.json')
 
 var json = { name: 'blah', version: '0.1.2' }
 
-var configContents = 'sign-git-tag=false\nmessage=":bookmark: %s"\n'
+var configContents = 'sign-git-commit=false\nsign-git-tag=false\nmessage=":bookmark: %s"\n'
 
 test('npm version <semver> with message config', function (t) {
   setup()
diff --git a/test/tap/version-sub-directory.js b/test/tap/version-sub-directory.js
index 52074a18e7a2b..71c96121ca7d7 100644
--- a/test/tap/version-sub-directory.js
+++ b/test/tap/version-sub-directory.js
@@ -32,6 +32,7 @@ test('npm version <semver> from a subdirectory', function (t) {
   function version (er, stdout, stderr) {
     t.ifError(er, 'git repo initialized without issue')
     t.notOk(stderr, 'no error output')
+    npm.config.set('sign-git-commit', false)
     npm.config.set('sign-git-tag', false)
     npm.commands.version(['patch'], checkVersion)
   }
diff --git a/test/tap/version-update-shrinkwrap.js b/test/tap/version-update-shrinkwrap.js
index d9f54d6872450..58264e9926c03 100644
--- a/test/tap/version-update-shrinkwrap.js
+++ b/test/tap/version-update-shrinkwrap.js
@@ -28,6 +28,7 @@ test('npm version <semver> updates git works with no shrinkwrap', function (t) {
   setup()
   rimraf.sync(path.resolve(pkg, 'npm-shrinkwrap.json'))
 
+  npm.config.set('sign-git-commit', false)
   npm.config.set('sign-git-tag', false)
 
   common.makeGitRepo({
@@ -70,6 +71,7 @@ test('npm version <semver> updates git works with no shrinkwrap', function (t) {
 test('npm version <semver> updates shrinkwrap and updates git', function (t) {
   setup()
 
+  npm.config.set('sign-git-commit', false)
   npm.config.set('sign-git-tag', false)
 
   common.makeGitRepo({