Commit signing support for bots and other GitHub Apps
Commit signing is now enabled for all bots by default.
Businesses and open source projects alike want to be sure that a commit is from a verified source—whether it’s from a developer across the world or a bot that’s integrated into their workflow.
GitHub has supported GPG signature verification for human-authored commits for a while, but bots like Dependabot are becoming an increasingly important part of our workflows. That changes now—bot commit signing has been enabled for all bots by default.
What is commit signing?
Commit signing allows a user (or bot) to cryptographically vouch for the integrity of the commit, and that they authored it. If a commit or tag has a GPG or S/MIME signature that is cryptographically verifiable, GitHub marks the commit or tag as verified with a big green checkmark ✓.
Find out more about commit signature verification
Did you know? Support for commit signing was introduced in January 2012 when v1.7.9 was released. We introduced support on GitHub.com back in April 2016.
Tags:
Written by
Related posts
How we improved availability through iterative simplification
Solving and staying ahead of problems when scaling up a system of GitHub’s size is a delicate process. Here’s a look at some of the tools in GitHub’s toolbox, and how we’ve used them to solve problems.
Exploring the challenges in creating an accessible sortable list (drag-and-drop)
Drag-and-drop is a highly interactive and visual interface. We often use drag-and-drop to perform tasks like uploading files, reordering browser bookmarks, or even moving a card in solitaire.
How we improved push processing on GitHub
Pushing code to GitHub is one of the most fundamental interactions that developers have with GitHub every day. Read how we have significantly improved the ability of our monolith to correctly and fully process pushes from our users.