Rebased commits by the web interface aren't signed

[BasixKOR]

Hi!

First of all, I'm more than happy to rebase my branch on GitHub without switching, pulling and all the jazz. However, when I rebase my branch on the PR by clicking 'Update with rebase', my signed commits become unsigned, resulting in an 'Unverified' badge if the user is using the vigilant mode.

IIRC GitHub signs the commit that has been created on the website by GitHub's key, and I was wondering if we could do the same for rebasing too.

[BasixKOR]

This seemingly also applies to the "Merge with Rebase" feature too.

[ebndev]

Hi @ashrafkhanak1, thanks for being a part of the GitHub Community!

Please note: we’ve clarified our stance on using generative AI tools like ChatGPT within our Community via this announcement. Please review the guidelines to ensure your post meets them as failure to adhere to those rules can result in action taken by our moderator team.  You can read our updated Code of Conduct and the announcement for more details. Thank you for helping us maintain an authentic and beneficial space for everyone.

[dvakatsiienko]

This actually causes a lot of conflicts each time after local rebase once you pull main that is contains «rewritten without a sign» commits by Github, and rebase it onto existing branch that contains those commits in signed form. Thus, making Github Rebase feature pretty unusable which is bad.

[export-mike]

any updates on allowing github to sign your commits on a rebase?

[dvakatsiienko]

doesn't seem so :(

[kshehadeh]

For what it's worth, this also seems to be an issue if you're using the API to rebase a PR which contains only signed commits.

[oliverbevan]

any update on this?

[mrsimonemms]

FWIW, it seems like a recent change. I've used this workflow for AGES and it's only in the past week or two where I've seen unverified changes after merging the PR via the website

[Murali-Shl]

Hi,
I am getting similar issue of getting the error 'branch is out-of-date with the base branch' and when I click the Rebase button in the UI, it is re-running the workflows (push commit and create PR actions)..

Or I can click on bypass the checks to merge into master.

[REBELinBLUE]

Also seems to happen when you revert a PR, I am sure it used to work in the past

[alexandrmazur96]

Is any fix existing for this?

[danielnorberg]

Would love to see this fixed. It's pretty jarring to see a lot of Unverified commits in PRs, especially when not knowing it's due to the web UI rebase.

[zliang-akamai]

Still can observe the issue. Can you guys try to fix it?

[jorgediaz-lr]

I have also detected this issue.

[magneland]

Same.
Until the web interface is fixed, my workaround is to re-sign the commits locally:

gpg --list-secret-keys --keyid-format=long
git config --global user.signingkey <your key>
git rebase --exec 'git commit --amend --no-edit -n -S' -i <SHA before the one to fix>

[learosema]

I've put an alias for the rebase in my .gitconfig :)

[alias]
    resign = "!f() { git rebase --exec 'git commit --amend --no-edit -n -S' -i \"$1\"; }; f"

unintended pun

[i-nadia]

For those who already rebased through the web interface :

git pull
git commit --amend --no-edit --signoff
git push --force-with-lease

[dannyrife]

Hit this again today. Used the script above to fix. Any update?

[microhobby]

Yeah, still broken. Some updated? It's annoying to have to do it manually when using GitHub.

[maxim]

Yeah, the pull request merge buttons no longer seem to sign my commits. It used to work a few months ago, and now it doesn't. I'm using an SSH Signing Key.

[azizur]

Any update on this? I just spotted the same issue.

[pektezol]

@magneland 's command works well, but I really don't want to force-push everytime I have to rebase. Why would the commits be unverified if it's on Github's own page and pull request, AND the commits are already signed..

Can we get some update on this?

[karrakoliko]

Any update on this?

[tiriana]

Does anyone have a workaround for this? Right now I resign commits locally and push --force-with-lease them

[gorbak25]

+1

[ForsakenRei]

I hit this issue as well. And based on Github doc, since Github has no access to the private key then it cannot sign the commits, you can only merge it locally and then push as a workaround.

But as above I remembered it worked before, now I'm wondering how it works before...

[ctsstc]

Yeah I was going to say I believe if you do a merge it signs it properly, but a rebase does not, so it seems to have its own key that since you're the user signed in it signs it with that.

[bklebe]

Correct, commits made via the web UI are signed with GitHub's key. This is what I would assume they'd do for rebases in the web UI, but I guess maybe they feel uncomfortable signing commits that might be made by multiple users with the same key?

[bfren]

(or even users that have made unsigned commits I guess?)

[ForsakenRei]

I cannot say for others but I sign all my own commits.

[bfren]

I feel on repos where multiple people contribute, it would be pretty easy to say 'if all the commits in this PR are signed, then sign the merge commit by the user doing the merge'.

If all the commits in a PR were not signed however that wouldn't be possible.

[jramosf]

I've raised a support ticket to see if we can get an official response from GitHub on this one.

[jramosf]

I am not sure if I can paste the verbatim contents of the response from the support engineer here, but basically I got response and they have open issues on Engineering but no specific commitment at the moment.

Pasting my own response as I've already closed the ticket.

I'll keep an eye on this thread and in GitHub changelog in case it gets implemented in the future.

[bhatiashivam]

Is anyone aware of any official response from Github? Right now I resign commits locally and push with --force-with-lease.

[bfren]

Only what @jramosf posted a few days ago - obviously they're aware of it but have no plans to do anything about it.

[dvins]

Maddening, open two years. Instead of doing simple updates in UI from a phone or tablet have to lug around my laptop and fire up full Git to be able to merge a stack of PRs.