About commit signature verification
You can sign commits and tags locally, to give other people confidence about the origin of a change you have made. If a commit or tag has a GPG or S/MIME signature that is cryptographically verifiable, GitHub marks the commit or tag "Verified."
If a commit or tag has a signature that can't be verified, GitHub AE marks the commit or tag "Unverified."
Repository administrators can enforce required commit signing on a branch to block all commits that are not signed and verified. For more information, see "About protected branches."
GitHub AE上の署名されたコミットあるいはタグの検証ステータスをチェックして、コミットの署名が検証されない理由を見ることができます。 詳細は「コミットおよびタグの署名の検証のステータスをチェックする」を参照してください。
GPG commit signature verification
You can use GPG to sign commits with a GPG key that you generate yourself.
GitHub AE uses OpenPGP libraries to confirm that your locally signed commits and tags are cryptographically verifiable against a public key you have added to your account on GitHub AE.
To sign commits using GPG and have those commits verified on GitHub AE, follow these steps:
- Check for existing GPG keys
- Generate a new GPG key
- Add a new GPG key to your GitHub account
- Tell Git about your signing key
- Sign commits
- Sign tags
S/MIME commit signature verification
You can use S/MIME to sign commits with an X.509 key issued by your organization.
GitHub AE uses the Debian ca-certificates package, the same trust store used by Mozilla browsers, to confirm that your locally signed commits and tags are cryptographically verifiable against a public key in a trusted root certificate.
ノート: S/MIME署名の検証は、Git 2.19以降で利用できます。 Gitのバージョンをアップデートするには、GitのWebサイトを参照してください。
To sign commits using S/MIME and have those commits verified on GitHub AE, follow these steps:
You don't need to upload your public key to GitHub AE.