4.9 KiB
title, shortTitle, intro, versions, type, topics, permissions, redirect_from
| title | shortTitle | intro | versions | type | topics | permissions | redirect_from | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Configuring web commit signing | Configure web commit signing | You can enable auto-signing of commits made in the web interface of {% data variables.product.prodname_ghe_server %}. |
|
how_to |
|
Site administrators |
|
About web commit signing
If you enable web commit signing, {% data variables.product.prodname_ghe_server %} will automatically use GPG to sign commits users make on the web interface of {% data variables.location.product_location %}. Commits signed by {% data variables.product.prodname_ghe_server %} will have a verified status. For more information, see AUTOTITLE.
You can enable web commit signing, rotate the private key used for web commit signing, and disable web commit signing.
{% ifversion ghes > 3.16 %}
About persistent commit signature verification
Persistent commit signature verification is related but separate from web commit signing. This feature ensures that the verified status of commits is retained, even if signing keys are changed or revoked.
Persistent commit signature verification helps maintain long-term integrity and trust in your repository’s commit history. However, you may choose to disable it in environments where minimizing disk usage is a priority, especially for large installations with a high number of verified commits.
For information about disabling persistent commit signature verification, see AUTOTITLE.
{% endif %}
Enabling web commit signing
{% data reusables.enterprise_site_admin_settings.create-pgp-key-web-commit-signing %}
- Use
web-flowas the username. Ifweb-flowis unavailable or unusable, use any new unique username. Use this username throughout the following steps in this article. - If you have a no-reply email address defined in the {% data variables.enterprise.management_console %}, use that email address. If not, use any email address, such as
web-flow@my-company.com. The email address does not need to be valid. {% data reusables.enterprise_site_admin_settings.pgp-key-no-passphrase %} {% data reusables.enterprise_site_admin_settings.pgp-key-env-variable %} {% data reusables.enterprise_site_admin_settings.update-commit-signing-service %}
-
Enable web commit signing.
ghe-config app.github.web-commit-signing-enabled true -
Create a new user on {% data variables.location.product_location %} via built-in authentication or external authentication. For more information, see AUTOTITLE.
- The user's username must be the same username you used when creating the PGP key in step 1 above, for example,
web-flow. - The user's email address must be the same address you used when creating the PGP key. {% data reusables.enterprise_site_admin_settings.add-key-to-web-flow-user %} {% data reusables.enterprise_site_admin_settings.email-settings %}
- The user's username must be the same username you used when creating the PGP key in step 1 above, for example,
-
Under "No-reply email address", type the same email address you used when creating the PGP key.
Note
The "No-reply email address" field will only be displayed if you've enabled email for {% data variables.location.product_location %}. For more information, see AUTOTITLE.
{% data reusables.enterprise_management_console.save-settings %}
Rotating the private key used for web commit signing
{% data reusables.enterprise_site_admin_settings.create-pgp-key-web-commit-signing %}
- Use the web commit signing user's username, for example,
web-flow. - Use the no-reply email address defined in the {% data variables.enterprise.management_console %}, which should be the same as the email address of the web commit signing user, for example,
web-flow. {% data reusables.enterprise_site_admin_settings.pgp-key-no-passphrase %} {% data reusables.enterprise_site_admin_settings.pgp-key-env-variable %} {% data reusables.enterprise_site_admin_settings.update-commit-signing-service %} {% data reusables.enterprise_site_admin_settings.add-key-to-web-flow-user %}
Disabling web commit signing
You can disable web commit signing for {% data variables.location.product_location %}.
-
In the administrative shell, run the following command.
ghe-config app.github.web-commit-signing-enabled false -
Apply the configuration.
ghe-config-apply