Updates for commit signature verification "vigilant mode" (#19003)
This commit is contained in:
hubwriter
@@ -1,6 +1,6 @@
|
||||
---
|
||||
title: About commit signature verification
|
||||
intro: 'Using GPG or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on {% data variables.product.product_name %} so other people can trust that the changes come from a trusted source.'
|
||||
intro: 'Using GPG or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on {% data variables.product.product_name %} so other people can be confident that the changes come from a trusted source.'
|
||||
redirect_from:
|
||||
- /articles/about-gpg-commit-and-tag-signatures/
|
||||
- /articles/about-gpg/
|
||||
@@ -16,15 +16,34 @@ topics:
|
||||
|
||||
### About commit signature verification
|
||||
|
||||
You can sign commits and tags locally, so other people can verify that your work comes from a trusted source. If a commit or tag has a GPG or S/MIME signature that is cryptographically verifiable, {% data variables.product.product_name %} marks the commit or tag as verified.
|
||||
You can sign commits and tags locally, to give other people confidence about the origin of a change you have made. If a commit or tag has a GPG or S/MIME signature that is cryptographically verifiable, GitHub marks the commit or tag {% if currentVersion == "free-pro-team@latest" %}"Verified" or "Partially verified."{% else %}"Verified."{% endif %}
|
||||
|
||||
|
||||
|
||||
If a commit or tag has a signature that cannot be verified, {% data variables.product.product_name %} marks the commit or tag as unverified.
|
||||
{% if currentVersion == "free-pro-team@latest" %}
|
||||
Commits and tags have the following verification statuses, depending on whether you have enabled vigilant mode. By default vigilant mode is not enabled. For information on how to enable vigilant mode, see "[Displaying verification statuses for all of your commits](/github/authenticating-to-github/displaying-verification-statuses-for-all-of-your-commits)."
|
||||
|
||||
{% data reusables.identity-and-permissions.vigilant-mode-beta-note %}
|
||||
|
||||
#### Default statuses
|
||||
|
||||
| Status | Description |
|
||||
| -------------- | ----------- |
|
||||
| **Verified** | The commit is signed and the signature was successfully verified.
|
||||
| **Unverified** | The commit is signed but the signature could not be verified.
|
||||
| No verification status | The commit is not signed.
|
||||
|
||||
#### Statuses with vigilant mode enabled
|
||||
|
||||
{% data reusables.identity-and-permissions.vigilant-mode-verification-statuses %}
|
||||
|
||||
{% else %}
|
||||
If a commit or tag has a signature that can't be verified, {% data variables.product.product_name %} marks the commit or tag "Unverified."
|
||||
{% endif %}
|
||||
|
||||
Repository administrators can enforce required commit signing on a branch to block all commits that are not signed and verified. For more information, see "[About protected branches](/github/administering-a-repository/about-protected-branches#require-signed-commits)."
|
||||
|
||||
You can check the verification status of your signed commits or tags on {% data variables.product.product_name %} and view why your commit signatures might be unverified. For more information, see "[Checking your commit and tag signature verification status](/articles/checking-your-commit-and-tag-signature-verification-status)."
|
||||
{% data reusables.identity-and-permissions.verification-status-check %}
|
||||
|
||||
{% if currentVersion == "free-pro-team@latest" %}
|
||||
{% data variables.product.product_name %} will automatically use GPG to sign commits you make using the {% data variables.product.product_name %} web interface, except for when you squash and merge a pull request that you are not the author of. You can optionally choose to have {% data variables.product.product_name %} sign commits you make in {% data variables.product.prodname_codespaces %}. Commits signed by {% data variables.product.product_name %} will have a verified status on {% data variables.product.product_name %}. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg. For more information about enabling GPG verification for your codespaces, see "[Managing GPG verification for {% data variables.product.prodname_codespaces %}](/github/developing-online-with-codespaces/managing-gpg-verification-for-codespaces)."
|
||||
|
||||
@@ -17,23 +17,20 @@ topics:
|
||||
|
||||
1. On {% data variables.product.product_name %}, navigate to your pull request.
|
||||
{% data reusables.repositories.review-pr-commits %}
|
||||
3. Next to your commit's abbreviated commit hash, there is a box that shows whether your commit signature is verified or unverified.
|
||||
3. Next to your commit's abbreviated commit hash, there is a box that shows whether your commit signature is verified{% if currentVersion == "free-pro-team@latest" %}, partially verified,{% endif %} or unverified.
|
||||
|
||||
4. To view more detailed information about the commit signature, click **Verified** or **Unverified**.
|
||||
4. To view more detailed information about the commit signature, click **Verified**{% if currentVersion == "free-pro-team@latest" %}, **Partially verified**,{% endif %} or **Unverified**.
|
||||
|
||||
|
||||
If your commit signature is unverified, you can learn more about why by clicking the **Unverified** box.
|
||||
|
||||
|
||||
### Checking your tag signature verification status
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.releases %}
|
||||
2. At the top of the Releases page, click **Tags**.
|
||||
|
||||
3. Next to your tag description, there is a box that shows whether your tag signature is verified or unverified.
|
||||
3. Next to your tag description, there is a box that shows whether your tag signature is verified{% if currentVersion == "free-pro-team@latest" %}, partially verified,{% endif %} or unverified.
|
||||
|
||||
4. To view more detailed information about the tag signature, click **Verified** or **Unverified**. If your tag signature is unverified, you can learn more about why by clicking the **Unverified** box.
|
||||
4. To view more detailed information about the tag signature, click **Verified**{% if currentVersion == "free-pro-team@latest" %}, **Partially verified**,{% endif %} or **Unverified**.
|
||||
|
||||
|
||||
### Further reading
|
||||
|
||||
@@ -0,0 +1,36 @@
|
||||
---
|
||||
title: Displaying verification statuses for all of your commits
|
||||
shortTitle: Displaying verification for all commits
|
||||
intro: You can enable vigilant mode for commit signature verification to mark all of your commits and tags with a signature verification status.
|
||||
versions:
|
||||
free-pro-team: '*'
|
||||
topics:
|
||||
- identity
|
||||
- access management
|
||||
---
|
||||
|
||||
{% data reusables.identity-and-permissions.vigilant-mode-beta-note %}
|
||||
|
||||
### About vigilant mode
|
||||
|
||||
When you work locally on your computer, Git allows you to set the author of your changes and the identity of the committer. This, potentially, makes it difficult for other people to be confident that commits and tags you create were actually created by you. To help solve this problem you can sign your commits and tags. For more information, see "[Signing commits](/github/authenticating-to-github/signing-commits)" and "[Signing tags](/github/authenticating-to-github/signing-tags)." {% data variables.product.prodname_dotcom %} marks signed commits and tags with a verification status.
|
||||
|
||||
By default commits and tags are marked "Verified" if they are signed with a GPG or S/MIME key that was successfully verified. If a commit or tag has a signature that can't be verified, {% data variables.product.prodname_dotcom %} marks the commit or tag "Unverified." In all other cases no verification status is displayed.
|
||||
|
||||
However, you can give other users increased confidence in the identity attributed to your commits and tags by enabling vigilant mode in your {% data variables.product.prodname_dotcom %} settings. With vigilant mode enabled, all of your commits and tags are marked with one of three verification statuses.
|
||||
|
||||
|
||||
|
||||
{% data reusables.identity-and-permissions.vigilant-mode-verification-statuses %}
|
||||
|
||||
You should only enable vigilant mode if you sign all of your commits and tags. After enabling this mode, any unsigned commits or tags that you generate locally and push to {% data variables.product.prodname_dotcom %} will be marked "Unverified."
|
||||
|
||||
{% data reusables.identity-and-permissions.verification-status-check %}
|
||||
|
||||
### Enabling vigilant mode
|
||||
|
||||
{% data reusables.user_settings.access_settings %}
|
||||
{% data reusables.user_settings.ssh %}
|
||||
3. On the SSH Settings page, under "Vigilant mode," select **Flag unsigned commits as unverified**.
|
||||
|
||||
|
||||
@@ -82,6 +82,7 @@ topics:
|
||||
{% link_in_list /error-were-doing-an-ssh-key-audit %}
|
||||
{% topic_link_in_list /managing-commit-signature-verification %}
|
||||
{% link_in_list /about-commit-signature-verification %}
|
||||
{% link_in_list /displaying-verification-statuses-for-all-of-your-commits %}
|
||||
{% link_in_list /checking-for-existing-gpg-keys %}
|
||||
{% link_in_list /generating-a-new-gpg-key %}
|
||||
{% link_in_list /adding-a-new-gpg-key-to-your-github-account %}
|
||||
|
||||
Reference in New Issue
Block a user