Ensure only signed commits are accepted
Why this matters
Signed commits verify the identity of the contributor and ensure that code changes originate from a trusted source.
Unsigned or unverified commits can be spoofed, making it difficult to trace accountability or detect unauthorized modifications.
Requiring signed commits helps to:
- Guarantee commit authenticity and author integrity
- Prevent unauthorized or tampered code from entering production
- Maintain an auditable and trusted commit history
Without this enforcement, malicious actors could impersonate valid contributors or inject unverified changes into critical branches.
What this check does
This check verifies that protected branches (especially the default branch) have the “Require signed commits” option enabled in their branch protection rule.
When active, GitHub will reject any commits that are not signed and verified with a GPG or SSH signature.
How to fix it
From the GitHub Web Console
- Go to your repository on GitHub.
- Navigate to Settings → Branches.
- Under Branch protection rules, click Add rule or edit the existing rule for the default branch (e.g.,
main). - Scroll to Require signed commits and check the box.
- Click Save changes.
From this point forward, commits that are not signed and verified will be rejected when pushed or merged into the protected branch.
Exceptions
- Only commits signed with verified GPG or SSH keys are accepted. Users must add and verify their signing keys in their GitHub account settings.
- Admins can bypass this requirement unless “Include administrators” is also enabled in the branch protection rule.
- Unsigned merge commits created via the web interface will also be rejected.