About commit signature verification

You can sign commits and tags locally, to give other people confidence about the origin of a change you have made. If a commit or tag has a GPG or S/MIME signature that is cryptographically verifiable, GitHub marks the commit or tag "Verified."

Verified commit

If a commit or tag has a signature that can't be verified, GitHub AE marks the commit or tag "Unverified."

Repository administrators can enforce required commit signing on a branch to block all commits that are not signed and verified. For more information, see "About protected branches."

Puedes comprobar el estado de verificación de tus confirmaciones o etiquetas firmadas en GitHub AE y ver por qué las firmas de tu confirmación podrían no ser verificadas. Para obtener más información, consulta "Comprobar la confirmación y el estado de verificación de firma de la etiqueta".

GPG commit signature verification

You can use GPG to sign commits with a GPG key that you generate yourself.

GitHub AE uses OpenPGP libraries to confirm that your locally signed commits and tags are cryptographically verifiable against a public key you have added to your account on GitHub AE.

To sign commits using GPG and have those commits verified on GitHub AE, follow these steps:

S/MIME commit signature verification

You can use S/MIME to sign commits with an X.509 key issued by your organization.

GitHub AE uses the Debian ca-certificates package, the same trust store used by Mozilla browsers, to confirm that your locally signed commits and tags are cryptographically verifiable against a public key in a trusted root certificate.

Nota: la verificación de firma S/MIME está disponible desde Git 2.19 o posterior. Para actualizar tu versiíon de Git, consulta el sitio web de Git.

To sign commits using S/MIME and have those commits verified on GitHub AE, follow these steps:

You don't need to upload your public key to GitHub AE.

About commit signature verification

En este artículo