Signed Commits Policy

Policy

All commits to this repository should be signed using GPG or SSH keys. Signed commits provide cryptographic proof of authorship and prevent commit spoofing.

Setup Guide

Option 1: SSH Signing (Recommended)

SSH signing uses your existing SSH key and requires minimal setup.

Configure git to use SSH signing:

git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true

Add your SSH key to GitHub: Settings, SSH and GPG keys, New SSH key, select "Signing Key".

Option 2: GPG Signing

Generate a GPG key if you do not have one:

gpg --full-generate-key

Configure git:

gpg --list-secret-keys --keyid-format=long
git config --global user.signingkey YOUR_KEY_ID
git config --global commit.gpgsign true

Add your GPG public key to GitHub: Settings, SSH and GPG keys, New GPG key.

Verification

Signed commits show a "Verified" badge on GitHub. Verify locally:

git log --show-signature -1

Branch Protection

Branch protection on main is configured to require signed commits when the repository ruleset supports it. The branch-protection-audit workflow (#360) monitors this setting.

Exceptions

Automated commits from GitHub Actions (MegaLinter, Dependabot) use the github-actions[bot] identity and are signed by GitHub's internal key.

Policy​

Setup Guide​

Option 1: SSH Signing (Recommended)​

Option 2: GPG Signing​

Verification​

Branch Protection​

Exceptions​

Related Content​