Выпуск GitHub AE сейчас ограничен.

Сведения о проверке подписи фиксации

В этой статье

С помощью GPG или S/MIME вы можете подписывать теги и фиксации локально. Эти теги или фиксации помечаются как проверенные в GitHub AE, чтобы другие пользователи могли быть уверены, что изменения поступают из надежного источника.

About commit signature verification

You can sign commits and tags locally, to give other people confidence about the origin of a change you have made. If a commit or tag has a GPG or S/MIME signature that is cryptographically verifiable, GitHub AE marks the commit or tag "Verified."

Screenshot of a commit in the commit list for a repository. "Verified" is highlighted with an orange outline.

If a commit or tag has a signature that can't be verified, GitHub AE marks the commit or tag "Unverified."

Signature verification for rebase and merge

When using the Rebase and Merge option on a pull request, it's important to note that the commits in the head branch are added to the base branch without commit signature verification. When you use this option, GitHub creates a modified commit, using the data and content of the original commit. This means that GitHub didn't truly create this commit, and can't therefore sign it as a generic system user. GitHub doesn't have access to the committer's private signing keys, so it can't sign the commit on the user's behalf.

A workaround for this is to rebase and merge locally, and then push the changes to the pull request's base branch.

For more information, see "About merge methods on GitHub."

Repository administrators can enforce required commit signing on a branch to block all commits that are not signed and verified. For more information, see "About protected branches."

You can check the verification status of your signed commits or tags on GitHub AE and view why your commit signatures might be unverified. For more information, see "Checking your commit and tag signature verification status."

GPG commit signature verification

You can use GPG to sign commits with a GPG key that you generate yourself.

GitHub AE uses OpenPGP libraries to confirm that your locally signed commits and tags are cryptographically verifiable against a public key you have added to your account on GitHub AE.

To sign commits using GPG and have those commits verified on GitHub AE, follow these steps:

  1. Check for existing GPG keys
  2. Generate a new GPG key
  3. Add a GPG key to your GitHub account
  4. Tell Git about your signing key
  5. Sign commits
  6. Sign tags

S/MIME commit signature verification

You can use S/MIME to sign commits with an X.509 key issued by your organization.

GitHub AE uses the Debian ca-certificates package, the same trust store used by Mozilla browsers, to confirm that your locally signed commits and tags are cryptographically verifiable against a public key in a trusted root certificate.

Note: S/MIME signature verification is available in Git 2.19 or later. To update your version of Git, see the Git website.

To sign commits using S/MIME and have those commits verified on GitHub AE, follow these steps:

  1. Tell Git about your signing key
  2. Sign commits
  3. Sign tags

You don't need to upload your public key to GitHub AE.

Further reading