{"id":15140318,"url":"https://github.com/jarrodldavis/probot-gpg","last_synced_at":"2025-09-29T08:31:48.766Z","repository":{"id":57120330,"uuid":"91284059","full_name":"jarrodldavis/probot-gpg","owner":"jarrodldavis","description":"A GitHub App that enforces GPG signatures on pull requests (no longer maintained)","archived":true,"fork":false,"pushed_at":"2019-07-19T20:30:41.000Z","size":707,"stargazers_count":14,"open_issues_count":10,"forks_count":10,"subscribers_count":2,"default_branch":"develop","last_synced_at":"2025-01-15T00:11:54.503Z","etag":null,"topics":["git-signing","github-api","github-app","github-integration","github-workflow","gpg","gpg-key","gpg-signature","probot","probot-app","probot-plugin","pull-requests","signing-commits"],"latest_commit_sha":null,"homepage":"https://github.com/apps/gpg","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jarrodldavis.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-05-15T01:42:03.000Z","updated_at":"2024-11-07T18:19:24.000Z","dependencies_parsed_at":"2022-08-24T02:40:34.824Z","dependency_job_id":null,"html_url":"https://github.com/jarrodldavis/probot-gpg","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jarrodldavis%2Fprobot-gpg","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jarrodldavis%2Fprobot-gpg/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jarrodldavis%2Fprobot-gpg/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jarrodldavis%2Fprobot-gpg/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jarrodldavis","download_url":"https://codeload.github.com/jarrodldavis/probot-gpg/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234604488,"owners_count":18859164,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["git-signing","github-api","github-app","github-integration","github-workflow","gpg","gpg-key","gpg-signature","probot","probot-app","probot-plugin","pull-requests","signing-commits"],"created_at":"2024-09-26T08:02:04.638Z","updated_at":"2025-09-29T08:31:48.339Z","avatar_url":"https://github.com/jarrodldavis.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg alt=\"Probot GPG logo\" src=\"docs/logo-key.png\" height=\"256\" width=\"256\" /\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eProbot GPG\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg alt=\"Probot Head logo\" src=\"docs/probot-head.png\" height=\"50\" width=\"50\" /\u003e\n\u003c/p\u003e\n\n\u003e A GitHub App built with [Probot](https://github.com/probot/probot) that enforces GPG signatures on pull requests\n\n## Deprecation\n\n**This GitHub App is no longer being kept up-to-date and is considered deprecated. It is recommended to use [GitHub's built-in enforcement](https://help.github.com/en/articles/about-required-commit-signing) of commit signature verification instead.**\n\n## Setup\n\n```\n# Install dependencies\nnpm install\n\n# Run the bot\nnpm start\n```\n\n## Usage\n\n[Configure this app](https://github.com/apps/gpg) on your organizations and repositories. Be sure to enable [required status checks](https://help.github.com/articles/about-required-status-checks/) if you want to enforce GPG signatures on all pull requests.\n\nSee [docs/deploy.md](docs/deploy.md) if you would like to run your own instance of this plugin.\n\n## How it works\n\nGit supports [signing commits with GPG keys](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work) to verify commit authorship beyond the easy-to-forge [author](https://git-scm.com/docs/git-commit#git-commit---authorltauthorgt) field.\n\nGitHub supports [verifying GPG signatures on commits](https://github.com/blog/2144-gpg-signature-verification) and has an excellent [series of help articles](https://help.github.com/articles/signing-commits-with-gpg/) for creating a GPG key, using it with `git` locally, and linking it to a GitHub account.\n\nAfter installation, this app [checks all commits](https://developer.github.com/v3/repos/commits/#compare-two-commits) of new (or newly updated) pull requests for valid GPG signatures [according to the GitHub API](https://developer.github.com/changes/2016-04-04-git-signing-api-preview/). Note that for the status check to be `success`, _every_ contributor of a pull request must:\n- set up a GPG key on their local machine\n- sign _all_ of their commits in the pull request with that key\n- link that key with their GitHub account\n\n![GPG status check success screenshot](docs/screenshot-success.png \"GPG status check success screenshot\")\n\nOtherwise, the app will set the status to `failure`.\n\n![GPG status check failed screenshot](docs/screenshot-failure.png \"GPG status check failed screenshot\")\n\n## Email privacy\n\nIf you or any of your contributors use a [GitHub-provided `noreply` email address](https://help.github.com/articles/about-commit-email-addresses/) to keep a personal email address private, that `noreply` address should be used when creating a GPG key. Make sure that [`git`'s config is also using that `noreply` address](https://help.github.com/articles/setting-your-commit-email-address-in-git/) so that GitHub associates the GPG key correctly and validates it.\n\n## Further reading\n\n- [Git Tools - Signing Your Work](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)\n- [GitHub Help: Signing commits with GPG](https://help.github.com/articles/signing-commits-with-gpg/)\n- [GitHub Help: Troubleshooting GPG](https://help.github.com/articles/troubleshooting-gpg/)\n- [GitHub Blog: GPG signature verification](https://github.com/blog/2144-gpg-signature-verification)\n- [GitHub Developer: Preview support for Git signing](https://developer.github.com/changes/2016-04-04-git-signing-api-preview/)\n- [The GNU Privacy Guard](https://gnupg.org)\n- [Setting up Git commit signing on macOS](https://gist.github.com/bmhatfield/cc21ec0a3a2df963bffa3c1f884b676b)\n\n## Special thanks and attributions\n\n- [@JasonEtco](https://github.com/jasonetco) for the lovingly crafted logo\n- [@probot](https://github.com/probot) for the Probot head, which was found on [wikimedia.org](https://commons.wikimedia.org/wiki/File:Robot-clip-art-book-covers-feJCV3-clipart.png) and is from clipartkid.com, licensed [CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/deed.en)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjarrodldavis%2Fprobot-gpg","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjarrodldavis%2Fprobot-gpg","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjarrodldavis%2Fprobot-gpg/lists"}