Verificationator
Trigger persistent commit signature verification for your past commits.
Sign in with GitHub
Verificationator
Trigger persistent commit signature verification for your past commits.
Sign in with GitHubGitHub's original commit signature verification was on-demand: each time you viewed a signed commit, GitHub would verify it against the committer's signing keys. This meant if you removed a signing key from your account, every commit signed by that key would retroactively become unverifiable, and gain a scary Unverified badge.
In November 2024, GitHub tacitly acknowledged this was silly and introduced persistent commit signature verification. Since then, GitHub caches signature verifications such that once a commit is verified, it stays verified.
However, this only applies to commits pushed after November 2024, or old commits that have been reverified (i.e. viewed) since the feature launched! If you pushed commits prior to December 2024 signed with a key you now want to revoke, and haven't viewed each and every one in the browser or via API since, they don't have persistent verification records yet.
Before removing an old signing key, use this tool to fetch all your commits via the GitHub API, permanently caching their current verification statuses. Then you can safely remove the key and your commits will stay verified.
If you'd rather run Verificationator from the command line:
curl https://verificationator.pages.dev/verificationator.js | node