You can sign commits and tags locally, to give other people confidence about the origin of a change you have made. If a commit or tag has a GPG or S/MIME signature that is cryptographically verifiable, GitHub marks the commit or tag "Verified" or "Partially verified."
Commits and tags have the following verification statuses, depending on whether you have enabled vigilant mode. By default vigilant mode is not enabled. For information on how to enable vigilant mode, see "Displaying verification statuses for all of your commits."
|Verified||The commit is signed and the signature was successfully verified.|
|Unverified||The commit is signed but the signature could not be verified.|
|No verification status||The commit is not signed.|
|部分 验证||提交已签名，签名已成功验证，但提交的作者：a) 不是提交者，并且 b) 已启用警戒模式。 在这种情况下，提交签名并不保证作者的同意，因此提交只得到部分验证。|
Repository administrators can enforce required commit signing on a branch to block all commits that are not signed and verified. For more information, see "About protected branches."
您可以在 GitHub 上检查已签名提交或标记的验证状态，并查看提交签名未验证的原因。 更多信息请参阅“检查提交和标记签名验证状态”。
GitHub will automatically use GPG to sign commits you make using the GitHub web interface. Commits signed by GitHub will have a verified status on GitHub. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg. The full fingerprint of the key is
5DE3 E050 9C47 EA3C F04A 42D3 4AEE 18F8 3AFD EB23. You can optionally choose to have GitHub sign commits you make in Codespaces. For more information about enabling GPG verification for your codespaces, see "Managing GPG verification for Codespaces."
You can use GPG to sign commits with a GPG key that you generate yourself.
GitHub uses OpenPGP libraries to confirm that your locally signed commits and tags are cryptographically verifiable against a public key you have added to your account on GitHub.com.
To sign commits using GPG and have those commits verified on GitHub, follow these steps:
- Check for existing GPG keys
- Generate a new GPG key
- Add a new GPG key to your GitHub account
- Tell Git about your signing key
- Sign commits
- Sign tags
You can use S/MIME to sign commits with an X.509 key issued by your organization.
GitHub uses the Debian ca-certificates package, the same trust store used by Mozilla browsers, to confirm that your locally signed commits and tags are cryptographically verifiable against a public key in a trusted root certificate.
注：S/MIME 签名验证可用于 Git 2.19 或更高版本。 要更新 Git 版本，请参阅 Git 网站。
To sign commits using S/MIME and have those commits verified on GitHub, follow these steps:
You don't need to upload your public key to GitHub.
Organizations and GitHub 应用程序 that require commit signing can use bots to sign commits. If a commit or tag has a bot signature that is cryptographically verifiable, GitHub marks the commit or tag as verified.
Signature verification for bots will only work if the request is verified and authenticated as the GitHub 应用程序 or bot and contains no custom author information, custom committer information, and no custom signature information, such as Commits API.