Authentic Contributions: Persistent Commit Verification [GA] (#53499)

2025-12-19 18:10:59 -05:00 · 2024-12-10 08:14:25 -08:00
parent f53f320ae0
commit d0421c9cf7
3 changed files with 11 additions and 5 deletions
--- a/assets/images/help/settings/verified-persistent-commit.png
+++ b/assets/images/help/settings/verified-persistent-commit.png
--- a/content/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account.md
+++ b/content/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account.md
@@ -24,13 +24,12 @@ shortTitle: Add a GPG key
 To sign commits associated with your account on {% data variables.product.product_name %}, you can add a public GPG key to your personal account. Before you add a key, you should check for existing keys. If you don't find any existing keys, you can generate and copy a new key. For more information, see "[AUTOTITLE](/authentication/managing-commit-signature-verification/checking-for-existing-gpg-keys)" and "[AUTOTITLE](/authentication/managing-commit-signature-verification/generating-a-new-gpg-key)."
-You can add multiple public keys to your account on {% data variables.product.product_name %}. Commits signed by any of the corresponding private keys will show as verified. If you remove a public key, any commits signed by the corresponding private key will no longer show as verified.
+You can add multiple public keys to your account on {% data variables.product.product_name %}. Commits signed by any of the corresponding private keys will show as verified. {% ifversion persistent-commit-verification %}Once a commit has been verified, any commits signed by the corresponding private key will continue to show as verified, even if the public key is removed.{% else %}If you remove a public key, any commits signed by the corresponding private key will no longer show as verified.{% endif %}
 ![Screenshot of a list of commits. One commit is marked with a "Verified" label. Next to the label, a dropdown explains that the commit was signed and shows a timestamp of when it was signed.](/assets/images/help/settings/verified-persistent-commit.png)
 {% ifversion upload-expired-or-revoked-gpg-key %}
-To verify as many of your commits as possible, you can add expired and revoked keys. If the key meets all other verification requirements, commits that were previously signed by any of the corresponding private keys will show as verified and indicate that their signing key is expired or revoked.
+To verify as many of your commits as possible, you can add expired and revoked keys. If the key meets all other verification requirements, commits that were previously signed by any of the corresponding private keys will show as verified and indicate that their signing key is expired or revoked.{% endif %}
 ![Screenshot of a list of commits. One commit is marked with a "Verified" label. Below the label, a dropdown explains that the commit was signed, but the key has now expired.](/assets/images/help/settings/gpg-verified-with-expired-key.png)
 {% endif %}
 {% data reusables.gpg.supported-gpg-key-algorithms %}
--- a/data/features/persistent-commit-verification.yml
+++ b/data/features/persistent-commit-verification.yml
@@ -0,0 +1,7 @@
 # Issue: 15674
 # Description: Once a commit signature is verified, it remains verified within its repository's network
 # Usage: {% ifversion persistent-commit-verification %} ... {% endif %}
 versions:
  fpt: '*'
  ghec: '*'
  ghes: '>=3.17'