Explore by product

GitHub.com
English

This version of GitHub Enterprise will be discontinued on This version of GitHub Enterprise was discontinued on 2020-08-20. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise. For help with the upgrade, contact GitHub Enterprise support.

Article version: Enterprise Server 2.18
GitHub.com Enterprise Server 2.21 Enterprise Server 2.20 Enterprise Server 2.19 Enterprise Server 2.18

About commit signature verification

Using GPG or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub Enterprise so other people can trust that the changes come from a trusted source.

In this article

About commit signature verification

You can sign commits and tags locally, so other people can verify that your work comes from a trusted source. If a commit or tag has a GPG or S/MIME signature that is cryptographically verifiable, GitHub Enterprise marks the commit or tag as verified.

Verified commit

If a commit or tag has a signature that cannot be verified, GitHub Enterprise marks the commit or tag as unverified.

Repository administrators can enforce required commit signing on a branch to block all commits that are not signed and verified. For more information, see "About required commit signing."

You can check the verification status of your signed commits or tags on GitHub Enterprise and view why your commit signatures might be unverified. For more information, see "Checking your commit and tag signature verification status."

GPG commit signature verification

You can use GPG to sign commits with a GPG key that you generate yourself.

GitHub Enterprise uses OpenPGP libraries to confirm that your locally signed commits and tags are cryptographically verifiable against a public key you have added to your GitHub Enterprise account.

To sign commits using GPG and have those commits verified on GitHub Enterprise, follow these steps:

  1. Check for existing GPG keys
  2. Generate a new GPG key
  3. Add a new GPG key to your GitHub account
  4. Tell Git about your signing key
  5. Sign commits
  6. Sign tags

S/MIME commit signature verification

You can use S/MIME to sign commits with an X.509 key issued by your organization.

GitHub Enterprise uses the Debian ca-certificates package, the same trust store used by Mozilla browsers, to confirm that your locally signed commits and tags are cryptographically verifiable against a public key in a trusted root certificate.

Note: S/MIME signature verification is available in Git 2.19 or later. To update your version of Git, see the Git website.

To sign commits using S/MIME and have those commits verified on GitHub Enterprise, follow these steps:

  1. Tell Git about your signing key
  2. Sign commits
  3. Sign tags

You don't need to upload your public key to GitHub Enterprise.

Further reading

Ask a human

Can't find what you're looking for?

Contact us

Product

Platform

Support

Company