Question persistent commit signature verification

[spenserblack]

Select Topic Area

Question

Body

If I understand correctly, previously, if I deleted a GPG key from my account, it would un-verify any commit signed with that key. Now, as long as the key was valid when I pushed the commit, it will stay verified even if I delete the GPG key.

Will this only be applied to newly pushed commits after this feature is released? Or will it also retroactively make old commits, pushed before this feature's release, also persistently verified?

[starg2]

The answer is right in the official blog post:

Persistent commit signature verification is applied to new commits only. For commits pushed prior to this update, persistent records will be created upon the next verification, which happens when viewing a signed commit on GitHub anywhere the verified badge is displayed, or retrieving a signed commit via the REST API.

[spenserblack]

Somehow I missed that when checking out the blog post. Thanks!