Authentic Contributions: Persistent Commit Verification [GA] (#53499)

github · Dec 10, 2024 · d0421c9 · 004sa · Feb 26, 2025 · MamievArif
1 parent f53f320
commit d0421c9
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 5 deletions.
diff --git a/assets/images/help/settings/verified-persistent-commit.png b/assets/images/help/settings/verified-persistent-commit.png
diff --git a/...naging-commit-signature-verification/adding-a-gpg-key-to-your-github-account.md b/...naging-commit-signature-verification/adding-a-gpg-key-to-your-github-account.md
@@ -24,13 +24,12 @@ shortTitle: Add a GPG key
 
 To sign commits associated with your account on {% data variables.product.product_name %}, you can add a public GPG key to your personal account. Before you add a key, you should check for existing keys. If you don't find any existing keys, you can generate and copy a new key. For more information, see "[AUTOTITLE](/authentication/managing-commit-signature-verification/checking-for-existing-gpg-keys)" and "[AUTOTITLE](/authentication/managing-commit-signature-verification/generating-a-new-gpg-key)."
 
-You can add multiple public keys to your account on {% data variables.product.product_name %}. Commits signed by any of the corresponding private keys will show as verified. If you remove a public key, any commits signed by the corresponding private key will no longer show as verified.
+You can add multiple public keys to your account on {% data variables.product.product_name %}. Commits signed by any of the corresponding private keys will show as verified. {% ifversion persistent-commit-verification %}Once a commit has been verified, any commits signed by the corresponding private key will continue to show as verified, even if the public key is removed.{% else %}If you remove a public key, any commits signed by the corresponding private key will no longer show as verified.{% endif %}
 
-{% ifversion upload-expired-or-revoked-gpg-key %}
-To verify as many of your commits as possible, you can add expired and revoked keys. If the key meets all other verification requirements, commits that were previously signed by any of the corresponding private keys will show as verified and indicate that their signing key is expired or revoked.
+![Screenshot of a list of commits. One commit is marked with a "Verified" label. Next to the label, a dropdown explains that the commit was signed and shows a timestamp of when it was signed.](/assets/images/help/settings/verified-persistent-commit.png)
 
-![Screenshot of a list of commits. One commit is marked with a "Verified" label. Below the label, a dropdown explains that the commit was signed, but the key has now expired.](/assets/images/help/settings/gpg-verified-with-expired-key.png)
-{% endif %}
+{% ifversion upload-expired-or-revoked-gpg-key %}
+To verify as many of your commits as possible, you can add expired and revoked keys. If the key meets all other verification requirements, commits that were previously signed by any of the corresponding private keys will show as verified and indicate that their signing key is expired or revoked.{% endif %}
 
 {% data reusables.gpg.supported-gpg-key-algorithms %}
 

diff --git a/data/features/persistent-commit-verification.yml b/data/features/persistent-commit-verification.yml
@@ -0,0 +1,7 @@
+# Issue: 15674
+# Description: Once a commit signature is verified, it remains verified within its repository's network
+# Usage: {% ifversion persistent-commit-verification %} ... {% endif %}
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>=3.17'