caaee7a124
* Add back changes from prior to purge * Manually fix some invalid Liquid * Updoot render-content * Improve test messages to show correct output * Run el scripto * Pass the remaining test
4.8 KiB
title, intro, redirect_from, versions
| title | intro | redirect_from | versions | |||||||
|---|---|---|---|---|---|---|---|---|---|---|
| About commit signature verification | Using GPG{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.14" %} or S/MIME{% endif %}, you can sign tags and commits locally. These tags or commits are marked as verified on {% data variables.product.product_name %} so other people can trust that the changes come from a trusted source. |
|
|
About commit signature verification
You can sign commits and tags locally, so other people can verify that your work comes from a trusted source. If a commit or tag has a GPG or S/MIME signature that is cryptographically verifiable, {% data variables.product.product_name %} marks the commit or tag as verified.
If a commit or tag has a signature that cannot be verified, {% data variables.product.product_name %} marks the commit or tag as unverified.
Repository administrators can enforce required commit signing on a branch to block all commits that are not signed and verified. For more information, see "About required commit signing."
You can check the verification status of your signed commits or tags on {% data variables.product.product_name %} and view why your commit signatures might be unverified. For more information, see "Checking your commit and tag signature verification status."
{% if currentVersion == "free-pro-team@latest" %} {% data variables.product.product_name %} will automatically use GPG to sign commits you make using the {% data variables.product.product_name %} web interface, except for when you squash and merge a pull request that you are not the author of. Commits signed by {% data variables.product.product_name %} will have a verified status on {% data variables.product.product_name %}. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg.{% endif %}
GPG commit signature verification
You can use GPG to sign commits with a GPG key that you generate yourself.
{% data variables.product.product_name %} uses OpenPGP libraries to confirm that your locally signed commits and tags are cryptographically verifiable against a public key you have added to your {% data variables.product.product_name %} account.
To sign commits using GPG and have those commits verified on {% data variables.product.product_name %}, follow these steps:
- Check for existing GPG keys
- Generate a new GPG key
- Add a new GPG key to your GitHub account
- Tell Git about your signing key
- Sign commits
- Sign tags
S/MIME commit signature verification
You can use S/MIME to sign commits with an X.509 key issued by your organization.
{% data variables.product.product_name %} uses the Debian ca-certificates package, the same trust store used by Mozilla browsers, to confirm that your locally signed commits and tags are cryptographically verifiable against a public key in a trusted root certificate.
{% data reusables.gpg.smime-git-version %}
To sign commits using S/MIME and have those commits verified on {% data variables.product.product_name %}, follow these steps:
You don't need to upload your public key to {% data variables.product.product_name %}.
{% if currentVersion == "free-pro-team@latest" %}
Signature verification for bots
Organizations and {% data variables.product.prodname_github_app %}s that require commit signing can use bots to sign commits. If a commit or tag has a bot signature that is cryptographically verifiable, {% data variables.product.product_name %} marks the commit or tag as verified.
Signature verification for bots will only work if the request is verified and authenticated as the {% data variables.product.prodname_github_app %} or bot and contains no custom author information, custom committer information, and no custom signature information, such as Commits API. {% endif %}