Managing commit signature verification

Using GPG, SSH, or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub Enterprise Server so other people can be confident that the changes come from a trusted source.

You can enable vigilant mode for commit signature verification to mark all of your commits and tags with a signature verification status.

Before you generate a GPG key, you can check to see if you have any existing GPG keys.

If you don't have an existing GPG key, you can generate a new GPG key to use for signing commits and tags.

To configure your account on your GitHub Enterprise Server instance to use your new (or existing) GPG key, you'll also need to add the key to your account.

To sign commits locally, you need to inform Git that there's a GPG, SSH, or X.509 key you'd like to use.

Your GPG key must be associated with a GitHub Enterprise Server verified email that matches your committer identity.

You can sign commits locally using GPG, SSH, or S/MIME.

You can sign tags locally using GPG, SSH, or S/MIME.