diff --git a/lib/util/git/private-key.spec.ts b/lib/util/git/private-key.spec.ts
index 36fb4ba75e8f16f2017a5191b97a97bd02339c46..f13c5d40a7862f20e49862a397c2e33907a187bf 100644
--- a/lib/util/git/private-key.spec.ts
+++ b/lib/util/git/private-key.spec.ts
@@ -1,4 +1,7 @@
-import { mocked } from '../../../test/util';
+import os from 'node:os';
+import { any, mockDeep } from 'jest-mock-extended';
+import upath from 'upath';
+import { mockedExtended } from '../../../test/util';
 import * as exec_ from '../exec';
 import { configSigningKey, writePrivateKey } from './private-key';
 import { setPrivateKey } from '.';
@@ -10,9 +13,9 @@ jest.mock('fs-extra', () =>
     >('../../../test/fixtures')
     .fsExtra(),
 );
-jest.mock('../exec');
+jest.mock('../exec', () => mockDeep());
 
-const exec = mocked(exec_);
+const exec = mockedExtended(exec_);
 
 describe('util/git/private-key', () => {
   describe('writePrivateKey()', () => {
@@ -23,21 +26,40 @@ describe('util/git/private-key', () => {
 
     it('throws error if failing', async () => {
       setPrivateKey('some-key');
-      exec.exec.mockRejectedValueOnce({
-        stderr: `something wrong`,
-        stdout: '',
-      });
+      exec.exec.calledWith(any()).mockResolvedValue({ stdout: '', stderr: '' });
+      exec.exec
+        .calledWith(
+          `gpg --import ${upath.join(os.tmpdir() + '/git-private-gpg.key')}`,
+        )
+        .mockRejectedValueOnce({
+          stderr: `something wrong`,
+          stdout: '',
+        });
       await expect(writePrivateKey()).rejects.toThrow();
     });
 
     it('imports the private key', async () => {
+      const publicKey = 'BADC0FFEE';
+      const repoDir = '/tmp/some-repo';
+      exec.exec.calledWith(any()).mockResolvedValue({ stdout: '', stderr: '' });
+      exec.exec
+        .calledWith(
+          `gpg --import ${upath.join(os.tmpdir() + '/git-private-gpg.key')}`,
+        )
+        .mockResolvedValueOnce({
+          stderr: `gpg: key ${publicKey}: secret key imported\nfoo\n`,
+          stdout: '',
+        });
       setPrivateKey('some-key');
-      exec.exec.mockResolvedValueOnce({
-        stderr: `gpg: key BADC0FFEE: secret key imported\nfoo\n`,
-        stdout: '',
-      });
       await expect(writePrivateKey()).resolves.not.toThrow();
-      await expect(configSigningKey('/tmp/some-repo')).resolves.not.toThrow();
+      await expect(configSigningKey(repoDir)).resolves.not.toThrow();
+      expect(exec.exec).toHaveBeenCalledWith(
+        `git config user.signingkey ${publicKey}`,
+        { cwd: repoDir },
+      );
+      expect(exec.exec).toHaveBeenCalledWith('git config commit.gpgsign true', {
+        cwd: repoDir,
+      });
     });
 
     it('does not import the key again', async () => {
diff --git a/test/util.ts b/test/util.ts
index ee4add46615be09a71da74e5be8ea9554f13a55f..406322b91481877ff5c806dde2463490b94ba902 100644
--- a/test/util.ts
+++ b/test/util.ts
@@ -1,5 +1,6 @@
 import crypto from 'node:crypto';
 import { expect, jest } from '@jest/globals';
+import type { DeepMockProxy } from 'jest-mock-extended';
 import type { Plugin } from 'pretty-format';
 import upath from 'upath';
 import type { RenovateConfig } from '../lib/config/types';
@@ -20,6 +21,14 @@ export function mocked<T extends object>(module: T): jest.Mocked<T> {
   return jest.mocked(module);
 }
 
+/**
+ * Simple wrapper for getting mocked version of a module
+ * @param module module which is mocked by `jest-mock-extended.mockDeep`
+ */
+export function mockedExtended<T extends object>(module: T): DeepMockProxy<T> {
+  return module as DeepMockProxy<T>;
+}
+
 /**
  * Simple wrapper for getting mocked version of a function
  * @param func function which is mocked by `jest.mock`