Commit signing support for bots and other GitHub Apps

Image of Justin Hutchings

Businesses and open source projects alike want to be sure that a commit is from a verified source—whether it’s from a developer across the world or a bot that’s integrated into their workflow.

GitHub has supported GPG signature verification for human-authored commits for a while, but bots like Dependabot are becoming an increasingly important part of our workflows. That changes now—bot commit signing has been enabled for all bots by default.

The image Badge showing a bot-signed commit for an open source project.

What is commit signing?

Commit signing allows a user (or bot) to cryptographically vouch for the integrity of the commit, and that they authored it. If a commit or tag has a GPG or S/MIME signature that is cryptographically verifiable, GitHub marks the commit or tag as verified with a big green checkmark âś“.

Find out more about commit signature verification


Did you know? Support for commit signing was introduced in January 2012 when v1.7.9 was released. We introduced support on GitHub.com back in April 2016.

See what launched at GitHub Universe

Missed the main event? Learn more about everything that launched at GitHub Universe, from GitHub for mobile and a redesigned notifications experience to the GitHub Archive Program.

Read the day one keynote recap

Secure the world's code, together

On day two of GitHub Universe, we announced GitHub Security Lab, bringing together security researchers, maintainers, and companies across the industry to secure open source.

Read the day two keynote recap