Add documentation for disabling persistent commit verification on GHES 3.17+ (#55727)

Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com>
2025-12-19 09:57:42 -05:00 · 2025-06-03 09:06:27 -04:00
parent b630e0a10c
commit 6d21508566
5 changed files with 79 additions and 1 deletions
--- a/content/admin/configuring-settings/configuring-user-applications-for-your-enterprise/configuring-web-commit-signing.md
+++ b/content/admin/configuring-settings/configuring-user-applications-for-your-enterprise/configuring-web-commit-signing.md
@@ -23,6 +23,18 @@ If you enable web commit signing, {% data variables.product.prodname_ghe_server

 You can enable web commit signing, rotate the private key used for web commit signing, and disable web commit signing.

+{% ifversion ghes > 3.16 %}
+
+### About persistent commit signature verification
+
+Persistent commit signature verification is related but separate from web commit signing. This feature ensures that the verified status of commits is retained, even if signing keys are changed or revoked.
+
+Persistent commit signature verification helps maintain long-term integrity and trust in your repository’s commit history. However, you may choose to disable it in environments where minimizing disk usage is a priority, especially for large installations with a high number of verified commits.
+
+For information about disabling persistent commit signature verification, see [AUTOTITLE](/admin/configuring-settings/configuring-user-applications-for-your-enterprise/disabling-persistent-commit-verification).
+
+{% endif %}
+
 ## Enabling web commit signing

 {% data reusables.enterprise_site_admin_settings.create-pgp-key-web-commit-signing %}
--- a/content/admin/configuring-settings/configuring-user-applications-for-your-enterprise/disabling-persistent-commit-verification.md
+++ b/content/admin/configuring-settings/configuring-user-applications-for-your-enterprise/disabling-persistent-commit-verification.md
@@ -0,0 +1,55 @@
+---
+title: Disabling persistent commit verification
+shortTitle: Disable persistent commit verification
+intro: 'You can disable persistent commit verification on {% data variables.product.prodname_ghe_server %} to reduce disk usage.'
+versions:
+  ghes: '>=3.17'
+type: how_to
+topics:
+  - Access management
+  - Enterprise
+  - Fundamentals
+  - Identity
+  - Security
+permissions: 'Site administrators'
+---
+
+## About persistent commit verification
+
+When persistent commit verification is enabled, {% data variables.product.prodname_ghe_server %} stores a verification record alongside each commit when its signature is verified. This record ensures that verified commits maintain their verification status even if signing keys are later rotated, expired, or revoked. For more information about persistent commit verification, see [AUTOTITLE](/authentication/managing-commit-signature-verification/about-commit-signature-verification#persistent-commit-signature-verification).
+
+By default, persistent commit verification is enabled on {% data variables.product.prodname_ghe_server %} 3.17 and later.
+
+Each verified commit requires approximately 80 bytes of storage. For large installations with a large number of verified commits (e.g., hundreds of thousands or more), you may want to disable this feature to limit data growth.
+
+## Disabling persistent commit verification
+
+You can disable persistent commit verification for {% data variables.location.product_location %}.
+
+1. In the administrative shell, run the following command.
+
+   ```bash copy
+   ghe-config app.persist-commit-signature-verification.enabled false
+   ```
+
+1. Apply the configuration.
+
+   ```bash copy
+   ghe-config-apply
+   ```
+
+## Enabling persistent commit verification
+
+If you previously disabled persistent commit verification, you can re-enable it.
+
+1. In the administrative shell, run the following command.
+
+   ```bash copy
+   ghe-config app.persist-commit-signature-verification.enabled true
+   ```
+
+1. Apply the configuration.
+
+   ```bash copy
+   ghe-config-apply
+   ```
--- a/content/admin/configuring-settings/configuring-user-applications-for-your-enterprise/index.md
+++ b/content/admin/configuring-settings/configuring-user-applications-for-your-enterprise/index.md
@@ -16,6 +16,7 @@ children:
  - /configuring-interactive-maps
  - /managing-github-mobile-for-your-enterprise
  - /verifying-or-approving-a-domain-for-your-enterprise
+  - /disabling-persistent-commit-verification
 redirect_from:
  - /admin/configuration/configuring-user-applications-for-your-enterprise
 ---
--- a/content/authentication/managing-commit-signature-verification/about-commit-signature-verification.md
+++ b/content/authentication/managing-commit-signature-verification/about-commit-signature-verification.md
@@ -42,6 +42,10 @@ Signing commits differs from signing off on a commit. For more information about
 | **Unverified** | The commit is signed but the signature could not be verified.
 | No verification status | The commit is not signed.

+{% endif %}
+
+{% ifversion fpt or ghec or ghes > 3.16 %}
+
 ### Persistent commit signature verification

 Regardless of the signature choice - GPG, SSH, or S/MIME - once a commit signature is verified, it remains verified within its repository's network. See [AUTOTITLE](/repositories/viewing-activity-and-data-for-your-repository/understanding-connections-between-repositories).
@@ -52,6 +56,12 @@ The verification record includes a timestamp marking when the verification was c

 Persistent commit signature verification applies to new commits pushed to {% data variables.product.github %}. For any commits that predate this feature, a persistent record will be created the next time the commit's signature is verified on {% data variables.product.github %}, helping ensure that verified statuses remain stable and reliable across the repository's history.

+{% ifversion ghes %}
+
+For information about disabling persistent commit signature verification, see [AUTOTITLE](/admin/configuring-settings/configuring-user-applications-for-your-enterprise/disabling-persistent-commit-verification).
+
+{% endif %}
+
 #### Records persist even after revocation and expiration

 Persistent commit signature verification reflects the verified state of a commit at the time of verification. This means that if a signing key is later revoked, expired, or otherwise altered, previously verified commits retain their verified status based on the record created during the initial verification. {% data variables.product.github %} will not re-verify previously signed commits or retroactively adjust their verification status in response to changes in the key's state. Organizations may need to manage key states directly to align with their security policies, especially if frequent key rotation or revocation is planned.
--- a/data/release-notes/enterprise-server/3-17/0-rc1.yml
+++ b/data/release-notes/enterprise-server/3-17/0-rc1.yml
@@ -146,7 +146,7 @@ sections:
        - |
          Verified commits are attached to persistent verification records, allowing users to identify the first actor to introduce a commit to a repository. Users can rotate, expire, or revoke their signing key without impacting existing verifications.

-          Verification records consume approximately 80 bytes on disk per signed commit. To limit data growth on large instances, site administrators can run `ghe-config app.persist-commit-signature-verification.enabled false` to disable persistent records.
+          Verification records consume approximately 80 bytes on disk per signed commit. To limit data growth on large instances, site administrators can run `ghe-config app.persist-commit-signature-verification.enabled false` to disable persistent records. See [AUTOTITLE](/admin/configuring-settings/configuring-user-applications-for-your-enterprise/disabling-persistent-commit-verification).

    - heading: GitHub Mobile
      notes: