Skip to main content

Managing GPG verification for GitHub Codespaces

You can allow GitHub to automatically use GPG to sign commits you make in your codespaces, so other people can be confident that the changes come from a trusted source.

After you enable GPG verification, GitHub will automatically sign commits you make in GitHub Codespaces, and the commits will have a verified status on GitHub Enterprise Cloud. By default, GPG verification is disabled for codespaces you create. You can choose to allow GPG verification for all repositories or specific repositories. Only enable GPG verification for repositories that you trust. For more information about GitHub Enterprise Cloud-signed commits, see "About commit signature verification."

Once you enable GPG verification, it will automatically take effect in any new codespaces you create from the relevant repositories. To have GPG verification take effect in an existing active codespace, you will need to stop and restart the codespace. For more information, see "Stopping and starting a codespace."

Note: If you have linked a dotfiles repository with GitHub Codespaces, the Git configuration in your dotfiles may conflict with the configuration that GitHub Codespaces requires to sign commits. For more information, see "Troubleshooting GPG verification for GitHub Codespaces."

  1. In the upper-right corner of any page, click your profile photo, then click Settings.

    Settings icon in the user bar

  2. In the "Code, planning, and automation" section of the sidebar, click Codespaces.

  3. Under "GPG verification", select the setting you want for GPG verification. Radio buttons to manage GPG verification

  4. If you chose "Selected repositories", select the dropdown menu, then click a repository you want enable GPG verification for. Repeat for all repositories you want to enable GPG verification for. "Selected repositories" dropdown menu

Once you have enabled GPG verification for GitHub Codespaces, all commits are signed by default in your codespaces.