Skip to main content

About commit signature verification

Using GPG, SSH, or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub AE so other people can be confident that the changes come from a trusted source.

About commit signature verification

You can sign commits and tags locally, to give other people confidence about the origin of a change you have made. If a commit or tag has a GPG, SSH, or S/MIME signature that is cryptographically verifiable, GitHub AE marks the commit or tag "Verified."

Verified commit

If a commit or tag has a signature that can't be verified, GitHub AE marks the commit or tag "Unverified."

For most individual users, GPG or SSH will be the best choice for signing commits. S/MIME signatures are usually required in the context of a larger organization. SSH signatures are the simplest to generate. You can even upload your existing authentication key to GitHub AE to also use as a signing key. Generating a GPG signing key is more involved than generating an SSH key, but GPG has features that SSH does not. A GPG key can expire or be revoked when no longer used. GitHub AE shows commits that were signed with such a key as "Verified" unless the key was marked as compromised. SSH keys don't have this capability.

Repository administrators can enforce required commit signing on a branch to block all commits that are not signed and verified. For more information, see "About protected branches."

您可以在 GitHub AE 上检查已签名提交或标记的验证状态,并查看提交签名未验证的原因。 有关详细信息,请参阅“检查提交和标记签名验证状态”。

GPG commit signature verification

You can use GPG to sign commits with a GPG key that you generate yourself.

GitHub AE uses OpenPGP libraries to confirm that your locally signed commits and tags are cryptographically verifiable against a public key you have added to your account on GitHub AE.

To sign commits using GPG and have those commits verified on GitHub AE, follow these steps:

  1. Check for existing GPG keys
  2. Generate a new GPG key
  3. Add a GPG key to your GitHub account
  4. Tell Git about your signing key
  5. Sign commits
  6. Sign tags

SSH commit signature verification

You can use SSH to sign commits with an SSH public key that you generate yourself. If you already use an SSH key to authenticate with GitHub AE, you can also upload that same key again for use as a signing key. There's no limit on the number of signing keys you can add to your account.

GitHub AE uses ssh_data, an open source Ruby library, to confirm that your locally signed commits and tags are cryptographically verifiable against a public key you have added to your account on GitHub AE.

Note: SSH signature verification is available in Git 2.34 or later. To update your version of Git, see the Git website.

To sign commits using SSH and have those commits verified on GitHub AE, follow these steps:

  1. Check for existing SSH keys
  2. Generate a new SSH key
  3. Add a SSH signing key to your GitHub account
  4. Tell Git about your signing key
  5. Sign commits
  6. Sign tags

S/MIME commit signature verification

You can use S/MIME to sign commits with an X.509 key issued by your organization.

GitHub AE uses the Debian ca-certificates package, the same trust store used by Mozilla browsers, to confirm that your locally signed commits and tags are cryptographically verifiable against a public key in a trusted root certificate.

注意:S/MIME 签名验证可用于 Git 2.19 或更高版本。 若要更新 Git 版本,请参阅 Git 网站。

To sign commits using S/MIME and have those commits verified on GitHub AE, follow these steps:

  1. Tell Git about your signing key
  2. Sign commits
  3. Sign tags

You don't need to upload your public key to GitHub AE.

Further reading