PIERRE COMPUTER COMPANY
CODE STORAGE
2026
<< back
Date:JUN.05.2026Feature:Commit Signing VerificationsAuthor:Unknwon
------

Code Storage now supports commit signing verification as a branch protection policy.

Register OpenPGP or SSH signing keys for your organization, then add verify-sig to a ref policy to require every commit introduced on the matched ref to carry a valid signature from one of those keys. Unsigned commits, commits signed by unknown keys, and commits with malformed or tampered signatures are rejected before the ref is updated.

const url = await repo.getRemoteURL({
  permissions: ['git:read', 'git:write'],
  refPolicies: [{ pattern: 'main', ops: ['verify-sig'] }],
});

The policy composes with the existing branch protection model, so teams can require signatures on main, allow unsigned work on feature branches, or combine verify-sig with policies like no-force-push and no-push. A protected push that fails verification returns a policy denial instead of updating the ref:

error: remote unpack failed: error signature verification failed

Signing key management supports both OpenPGP and SSH keys, matching Git's normal commit signing formats.

See the docs

+ UP NEXT +