Code Storage now supports commit signing verification as a branch protection policy.
Register OpenPGP or SSH signing keys for your organization, then add verify-sig to a ref policy to
require every commit introduced on the matched ref to carry a valid signature from one of those
keys. Unsigned commits, commits signed by unknown keys, and commits with malformed or tampered
signatures are rejected before the ref is updated.
const url = await repo.getRemoteURL({
permissions: ['git:read', 'git:write'],
refPolicies: [{ pattern: 'main', ops: ['verify-sig'] }],
});The policy composes with the existing branch protection model, so teams can require signatures on
main, allow unsigned work on feature branches, or combine verify-sig with policies like
no-force-push and no-push. A protected push that fails verification returns a policy denial
instead of updating the ref:
error: remote unpack failed: error signature verification failedSigning key management supports both OpenPGP and SSH keys, matching Git's normal commit signing formats.