Skip to main content

About commit signature verification

Using GPG or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub Enterprise Server so other people can be confident that the changes come from a trusted source.

About commit signature verification

You can sign commits and tags locally, to give other people confidence about the origin of a change you have made. If a commit or tag has a GPG or S/MIME signature that is cryptographically verifiable, GitHub marks the commit or tag "Verified."

Verified commit

If a commit or tag has a signature that can't be verified, GitHub Enterprise Server marks the commit or tag "Unverified."

Repository administrators can enforce required commit signing on a branch to block all commits that are not signed and verified. For more information, see "About protected branches."

GitHub Enterprise Server上の署名されたコミットあるいはタグの検証ステータスをチェックして、コミットの署名が検証されない理由を見ることができます。 詳細は「コミットおよびタグの署名の検証のステータスをチェックする」を参照してください。

If a site administrator has enabled web commit signing, GitHub Enterprise Server will automatically use GPG to sign commits you make using the web interface. Commits signed by GitHub Enterprise Server will have a verified status. You can verify the signature locally using the public key available at https://HOSTNAME/web-flow.gpg. For more information, see "Configuring web commit signing."

GPG commit signature verification

You can use GPG to sign commits with a GPG key that you generate yourself.

GitHub Enterprise Server uses OpenPGP libraries to confirm that your locally signed commits and tags are cryptographically verifiable against a public key you have added to your account on GitHub Enterprise Serverインスタンス.

To sign commits using GPG and have those commits verified on GitHub Enterprise Server, follow these steps:

  1. Check for existing GPG keys
  2. Generate a new GPG key
  3. Add a GPG key to your GitHub account
  4. Tell Git about your signing key
  5. Sign commits
  6. Sign tags

S/MIME commit signature verification

You can use S/MIME to sign commits with an X.509 key issued by your organization.

GitHub Enterprise Server uses the Debian ca-certificates package, the same trust store used by Mozilla browsers, to confirm that your locally signed commits and tags are cryptographically verifiable against a public key in a trusted root certificate.

ノート: S/MIME署名の検証は、Git 2.19以降で利用できます。 Gitのバージョンをアップデートするには、GitのWebサイトを参照してください。

To sign commits using S/MIME and have those commits verified on GitHub Enterprise Server, follow these steps:

  1. Tell Git about your signing key
  2. Sign commits
  3. Sign tags

You don't need to upload your public key to GitHub Enterprise Server.

Further reading