Copilot Agent does not support signing commits with verified signatures

[mikhailmokhov]

Select Topic Area

Product Feedback

Copilot Feature Area

Copilot Coding Agent

Body

Copilot Agent currently does not support signing commits with verified signatures. This presents a blocker for repositories that enforce commit signature verification. It appears that a solution has been implemented for bots, so I’m wondering if similar support for Copilot Agent is planned in the near future.

[nathanmargaglio]

I, too, would like to know what the status of this is, since this is also preventing us from (effectively) using Copilot Agent with our repos.

Is there a specific reason Copilot isn't signing its commits? Or is this just a feature that has yet to be implemented?

[erik-arcos-ml]

Hello, we are also having this issue in our organization. Signed commits are mandatory for all repositories, and by using this feature, we would need to turn off this protection.

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

[ColemanDunn]

So github supports commit signing for bots but their own bot/agent doesn't have it??

? https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#signature-verification-for-bots

[pconrad]

Is there an update on this? The copilot agent us doing a great job of creating commits that address issues, but the fact that the commits are not signed is a problem

[nesl247]

Is there any update on this? It's quite bad that a first party bot doesn't do signed commits.

[tiagostutz]

Is there any update on this?

[gabrielpessoa1]

Any update? Currently in our repos someone has to pull the branch and sign before merging, which is quite bad for a bot that was supposed to automate these manual tasks.

[Spuffynism]

As a workaround, GitHub announced yesterday that Copilot Agent can now be added as bypass actor for select rulesets.

https://github.blog/changelog/2025-11-13-configure-copilot-coding-agent-as-a-bypass-actor-for-rulesets/

[hi120ki]

We enforce signed commits across all branches in our organization, and while adding Copilot Coding Agent to the bypass list actually allows it to invoke, but this approach introduces a critical issue:

Because Copilot adds the invoking user as a co-author, every developer who might use Copilot would also need to be added to the bypass list to merge the PR. In practice, this means disabling the security control provided by commit signing entirely.

We strongly encourage the GitHub to ensure that Copilot Coding Agent itself supports commit signing. Without that, this recent update doesn’t effectively address the root problem and it is still difficult for teams with strict security policies to adopt the agent 😢

We really appreciate the progress so far and look forward to an update supporting signed commits 🙇

[mdf-ido]

Same for me since clients are asking as well. Now that agents in Azure can have their own ID, could something similar be used for signing commits?

[ColemanDunn]

So currently any PR touched by copilot is un-mergable if you have signed commits on?

[mkushakov]

current workaround i found - checkout branch created by agent locally and squash or rebase it, then it will sign commits with your keys

[bradical]

Also worth noting that you can create a bypass exemption for the agent but even if you do that it's unmergeable b/c your engineers (presumably the people you want to ALWAYS have signed commits) still have to merge it. So you effectively have to allow everyone that would collaborate with the agent to also bypass the rule.

[Cosmodude]

Had to use the "squash & rebase" solution above because the issue is still unresolved.

[Cosmodude]

That's wild that the issue wasn't addressed in 6 months.

[timsearle]

This is a significant blocker for organizations with org-level signed commits rulesets. The current workarounds don't address several scenarios:

• Org-level ruleset enforcement: The agent can create a PR, but no one can merge it because the commits are unsigned and the ruleset applies organization-wide—there's no repo-level exemption possible.
• Agent commits to your branch: If the agent pushes unsigned commits to a branch you're working on, you'd need to rebase and re-sign every commit before you can push again.
• Main branch contamination: Even if an unsigned commit somehow made it to main, you wouldn't be able to merge main into your feature branch and push it back to the remote—the unsigned commit would block the push.

Other GitHub-owned bots (Dependabot, GitHub Actions) sign their commits. The Copilot coding agent should do the same to be consistent with GitHub's own security practices.

Our organisation has >1,500 contributors, we can't, at scale, coach and explain this as they experiment with the coding agent.

[bradical]

Sorry, not following. If our common practice is to catch up PRs from main before merging (also enforced by ruleset) either through merge or rebase, wouldn't we run into this?

[timsearle]

You wouldn't be able to (merge main in to a PR with unsigned commits and push it back up) unless you were exempt. It's quite easy to reproduce this on a test repository with rulesets and see for yourself. It's a real pain and causes a lot of confusion.

[bradical]

Got it. So once a branch has been contaminated with unsigned commits, what recoruse is there even if they support it later?

[timsearle]

So long as the branch/commits don't "move" it's not an issue. The issues come if you need to, say, merge the branch with unsigned commits into your own branch and then push that back up.

[bradical]

I see. So assuming they implement a way to sign these commits, once they do and reenable the ruleset, there would only be a problem if there newer commits in main that needed to be merged to a topic branch. Legacy commits that already been caught up to those branches would not continue to cause problems each time main is merged with the latest commits.

Thanks for the help!

[juanswan13]

Huge blocker and there's no reply from Github. I hope they fix this soon.

[melodiouscode]

I rasied this with my enterprise account manager recently; hopefully we might see some movement soon.

[calexandre]

+1 we need this

[boromijovic]

We're also looking for this one :)

[robmosca]

+1 also a big blocker for us

[joshuatonga]

+1

[calexandre]

I can't believe that GitHub is going full agentic and does not support such an important feature like this.
We already have GitHub Apps with verified signatures...what's missing for GitHub Copilot? 🤔

It doesn't make any sense! We're missing a big opportunity 😢

[pedrojreis]

+1 on this!

Huge block on my organization due to the lack of verified commits, we have to deal with silly work arounds for something that should be native :(

[jaimesantosferreira]

+1!

This feature is also very necessary for my organization.

[Mik4sa]

+1

We need a solution for this too

[chepa92]

Did some workflow that triggers when draft PR moving to PR as workaround with app token, but we need proper solution please.

   - name: Re-create commits as signed via GitHub API
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: |
          set -euo pipefail
          REPO="${{ github.repository }}"
          BRANCH="${{ github.event.pull_request.head.ref }}"
          PR_NUMBER="${{ github.event.pull_request.number }}"
          readarray -t COMMITS < <(
            gh api "repos/${REPO}/pulls/${PR_NUMBER}/commits" --paginate --jq '.[].sha'
          )
          if [ ${#COMMITS[@]} -eq 0 ]; then
            echo "No commits to sign"
            exit 0
          fi
          echo "Re-signing ${#COMMITS[@]} commit(s) on ${BRANCH}"
          PARENT=$(gh api "repos/${REPO}/git/commits/${COMMITS[0]}" --jq '.parents[0].sha')
          for SHA in "${COMMITS[@]}"; do
            TREE=$(gh api "repos/${REPO}/git/commits/${SHA}" --jq '.tree.sha')
            MESSAGE=$(gh api "repos/${REPO}/git/commits/${SHA}" --jq '.message')
            NEW_SHA=$(
              jq -n \
                --arg message "$MESSAGE" \
                --arg tree "$TREE" \
                --arg parent "$PARENT" \
                '{message: $message, tree: $tree, parents: [$parent]}' |
              gh api "repos/${REPO}/git/commits" --method POST --input - --jq '.sha'
            )
            echo "  ${SHA:0:7} → ${NEW_SHA:0:7}"
            PARENT="${NEW_SHA}"
          done
          gh api "repos/${REPO}/git/refs/heads/${BRANCH}" \
            --method PATCH \
            -f sha="${PARENT}" \
            -F force=true
          echo "Branch ${BRANCH} updated to ${PARENT:0:7}"

[jamesbaxter-ppro]

This is an important security step and blocks the main advantage of copilot for us: making quick changes.

Would be great to hear from Github on a timeline for this feature.

[hi120ki]

In the image attached to the article published on the GitHub Blog on March 20, the change is shown as “Verified” with a commit signature.

This is extremely interesting, and it appears to suggest that in their internal development version they may have discovered some kind of workaround or made progress on the issue (otherwise, one would have to question the authenticity of the image).

I would greatly appreciate it if GitHub could provide an update on this as soon as possible.

[K3UL]

I don't think it means that. I have the same thing on commits where I am co-author with Copilot (can't show it because it is a corporate account). It just means that the PR was squashed and merged, and GitHub.com's signature was used.

You can see it on a commit like this one.

[bradical]

Right, assuming we could get past the restriction of being able to merge unverified commits, I think the merge itself would show up verified as it does here.

[timrogers]

Tim from the Copilot coding agent team here 👋

The eagle-eyed @hi120ki spotted our hint: we've heard your feedback and we are working actively on commit signing.

We're expecting to ship this soon, and we'll update this thread and the GitHub Changelog.

[timrogers]

has the fix to this been pushed can i find it anywhere?

Not yet! We're still finishing up.

[mikhaildicefm]

We were able to set up signing through a pair of hacks. But we cannot fix the first commit because it was created elsewhere.

[dobegor]

hey @timrogers, please pass our thanks to the Github team for taking this up :) there's still a piece of the puzzle that's missing, unfortunately, and that is that Copilot attributes co-authorship to the person who prompted it. co-authorship also requires the co-author signature and it is, obviously, not there, and it results in commit being partially verified. (see the screenshots)

is there any workaround for that?

[timrogers]

@dobegor Would you be able to share the URL of that commit? You can email me at the github.com address on my profile.

[dobegor]

@timrogers thanks for looking into this! emailed.

[davidgamero]

Glad to see this is coming 🎉

[timrogers]

Copilot cloud agent (formerly known as Copilot coding agent) now signs its commits! 🎉 If this has been blocking you using the agent, do give it a try 😉

https://github.blog/changelog/2026-04-03-copilot-cloud-agent-signs-its-commits

[Mik4sa]

Tested and works for us, thank you :)