{"id":31915910,"url":"https://github.com/fionn/commit-signature-verifier","last_synced_at":"2026-07-02T16:34:25.475Z","repository":{"id":316917367,"uuid":"1056544869","full_name":"fionn/commit-signature-verifier","owner":"fionn","description":"Git commit signature verification as a service","archived":false,"fork":false,"pushed_at":"2026-06-02T14:22:30.000Z","size":84,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-06-02T16:15:00.229Z","etag":null,"topics":["git","github-app","signature-verification"],"latest_commit_sha":null,"homepage":"https://github.com/apps/commit-signature-verifier","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fionn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-14T10:18:50.000Z","updated_at":"2026-06-02T14:29:03.000Z","dependencies_parsed_at":"2025-09-27T16:13:54.261Z","dependency_job_id":"95c71461-16de-4637-852b-73384719ad12","html_url":"https://github.com/fionn/commit-signature-verifier","commit_stats":null,"previous_names":["fionn/commit-signature-verifier"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/fionn/commit-signature-verifier","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fionn%2Fcommit-signature-verifier","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fionn%2Fcommit-signature-verifier/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fionn%2Fcommit-signature-verifier/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fionn%2Fcommit-signature-verifier/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fionn","download_url":"https://codeload.github.com/fionn/commit-signature-verifier/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fionn%2Fcommit-signature-verifier/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35055400,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-02T02:00:06.368Z","response_time":173,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["git","github-app","signature-verification"],"created_at":"2025-10-13T19:57:42.443Z","updated_at":"2026-07-02T16:34:25.436Z","avatar_url":"https://github.com/fionn.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Commit Signature Verifier\n\nVerify Git commit signatures on GitHub independently of GitHub's check.\n\nThis might be useful if you don't trust the integrity of a user's account or want to enforce signing from a set of known good keys (like those residing on hardware devices).\n\nThe application waits to be called by a push event webhook payload. It then fetches the commit corresponding to that payload and verifies its signature, writing the verification result to the commit as a status check.\n\n## Supported Signature Types\n\n* [x] SSH,\n* [ ] PGP.\n\n## Permissions\n\nThe application requires the following permissions:\n* metadata access (mandatory, every application requires this),\n* read and write access to commit statuses, in order to write the verification status,\n* read-only access to repository contents, in order to subscribe to push events and get commits to verify their signature.\n\n## Usage\n\n### Configuration\n\nWe expect the following environment variables to be set:\n\n* for GitHub:\n  * `APP_ID`, the GitHub app ID,\n  * `INSTALLATION_ID`, the GitHub app installation ID,\n  * `PRIVATE_KEY`, the GitHub app private key,\n  * `WEBHOOK_SECRET`, the secret used to validate webhook payloads,\n* and for the rest:\n  * `SSH_ALLOWED_SIGNERS`, the path to the SSH allowed signers file (optional and defaults to `~/.ssh/allowed_signers`),\n  * `ADDRESS`, the address to listen on (optional and defaults to `localhost:8080`).\n\n### Compilation\n\n```shell\nmake build\n```\n\n### Running\n\n```shell\ngo run cmd/main.go\n# or, if compiled,\n./bin/commit-signature-verifier\n```\n\n## Testing\n\n### Unit Tests\n\n```shell\nmake test\n```\n\n### \"Integration\" Tests\n\nSet up a reverse tunnel to proxy traffic to the local application with\n```shell\nssh -R 80:localhost:8080 localhost.run\n```\nor similar.\nThen add the proxy URL as the webhook URL in the application settings.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffionn%2Fcommit-signature-verifier","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffionn%2Fcommit-signature-verifier","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffionn%2Fcommit-signature-verifier/lists"}