Skip to main content

Managing GPG verification for GitHub Codespaces

You can allow GitHub to automatically use GPG to sign commits you make in your codespaces, so other people can be confident that the changes come from a trusted source.

After you enable GPG verification, GitHub will automatically sign commits you make in GitHub Codespaces, and the commits will have a verified status on GitHub. By default, GPG verification is disabled for codespaces you create. You can choose to allow GPG verification for all repositories or specific repositories. Only enable GPG verification for repositories that you trust. For more information about GitHub-signed commits, see "About commit signature verification."

Note: If you have linked a dotfiles repository with GitHub Codespaces, the Git configuration in your dotfiles may conflict with the configuration that GitHub Codespaces requires to sign commits. For more information, see "Troubleshooting GPG verification for GitHub Codespaces."

  1. In the upper-right corner of any page, click your profile photo, then click Settings.

    Screenshot of GitHub's account menu showing options for users to view and edit their profile, content, and settings. The menu item "Settings" is outlined in dark orange.

  2. In the "Code, planning, and automation" section of the sidebar, click Codespaces.

  3. Under "GPG verification", select the setting you want for GPG verification:

    • Disabled - GPG will not be available in your codespaces.
    • All repositories - GPG will be available for codespaces for all repositories.
    • Selected repositories - GPG will be available for codespace created from the selected repositories.
  4. If you chose "Selected repositories", select the "Select repositories" dropdown menu, then click a repository you want enable GPG verification for. Repeat this step for all repositories you want to enable GPG verification for.

Once you enable GPG verification, it will automatically take effect in any new codespaces you create from the relevant repositories. To have GPG verification take effect in an existing active codespace, you will need to stop and restart the codespace. For more information, see "Stopping and starting a codespace."