diff --git a/app/models/gpg_signature.rb b/app/models/gpg_signature.rb
index d3cca19cea8..e783c3b24e4 100644
--- a/app/models/gpg_signature.rb
+++ b/app/models/gpg_signature.rb
@@ -23,8 +23,13 @@ class GpgSignature < ActiveRecord::Base
 
   def gpg_key=(model)
     case model
-    when GpgKey       then super
-    when GpgKeySubkey then self.gpg_key_subkey = model
+    when GpgKey
+      super
+    when GpgKeySubkey
+      self.gpg_key_subkey = model
+    when NilClass
+      super
+      self.gpg_key_subkey = nil
     end
   end
 
diff --git a/changelogs/unreleased/36829-add-ability-to-verify-gpg-subkeys b/changelogs/unreleased/36829-add-ability-to-verify-gpg-subkeys.yml
similarity index 100%
rename from changelogs/unreleased/36829-add-ability-to-verify-gpg-subkeys
rename to changelogs/unreleased/36829-add-ability-to-verify-gpg-subkeys.yml
diff --git a/db/migrate/20170927161718_create_gpg_key_subkeys.rb b/db/migrate/20170927161718_create_gpg_key_subkeys.rb
index ffe06ce1231..c03c40416a8 100644
--- a/db/migrate/20170927161718_create_gpg_key_subkeys.rb
+++ b/db/migrate/20170927161718_create_gpg_key_subkeys.rb
@@ -3,11 +3,11 @@ class CreateGpgKeySubkeys < ActiveRecord::Migration
 
   def up
     create_table :gpg_key_subkeys do |t|
+      t.references :gpg_key, null: false, index: true, foreign_key: { on_delete: :cascade }
+
       t.binary :keyid
       t.binary :fingerprint
 
-      t.references :gpg_key, null: false, index: true, foreign_key: { on_delete: :cascade }
-
       t.index :keyid, unique: true, length: Gitlab::Database.mysql? ? 20 : nil
       t.index :fingerprint, unique: true, length: Gitlab::Database.mysql? ? 20 : nil
     end
diff --git a/db/post_migrate/20171002161539_create_gpg_key_subkeys_for_existing_gpg_keys.rb b/db/post_migrate/20171002161539_create_gpg_key_subkeys_for_existing_gpg_keys.rb
index 355fbfbbede..346dfb1a4b6 100644
--- a/db/post_migrate/20171002161539_create_gpg_key_subkeys_for_existing_gpg_keys.rb
+++ b/db/post_migrate/20171002161539_create_gpg_key_subkeys_for_existing_gpg_keys.rb
@@ -28,8 +28,10 @@ class CreateGpgKeySubkeysForExistingGpgKeys < ActiveRecord::Migration
   end
 
   def up
-    GpgKey.each_batch do |batch|
+    GpgKey.with_subkeys.each_batch do |batch|
       batch.each do |gpg_key|
+        return if gpg_key.subkeys.any?
+
         create_subkeys(gpg_key) && update_signatures(gpg_key)
       end
     end
diff --git a/db/schema.rb b/db/schema.rb
index b9de70b742a..3bcfbcc3fd1 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -580,9 +580,9 @@ ActiveRecord::Schema.define(version: 20171004121444) do
   add_index "forked_project_links", ["forked_to_project_id"], name: "index_forked_project_links_on_forked_to_project_id", unique: true, using: :btree
 
   create_table "gpg_key_subkeys", force: :cascade do |t|
+    t.integer "gpg_key_id", null: false
     t.binary "keyid"
     t.binary "fingerprint"
-    t.integer "gpg_key_id", null: false
   end
 
   add_index "gpg_key_subkeys", ["fingerprint"], name: "index_gpg_key_subkeys_on_fingerprint", unique: true, using: :btree
diff --git a/lib/gitlab/gpg/commit.rb b/lib/gitlab/gpg/commit.rb
index 961c57ec0e6..0f4ba6f83fc 100644
--- a/lib/gitlab/gpg/commit.rb
+++ b/lib/gitlab/gpg/commit.rb
@@ -43,6 +43,8 @@ module Gitlab
           # key belonging to the keyid.
           # This way we can add the key to the temporary keychain and extract
           # the proper signature.
+          # NOTE: the invoked method is #fingerprint but it's only returning
+          # 16 characters (the format used by keyid) instead of 40.
           gpg_key = find_gpg_key(verified_signature.fingerprint)
 
           if gpg_key