为什么我的所有 GitHub 提交都显示为未验证?

Why do all my GitHub commits show as unverified?

突然间,我所有的回购协议中的所有提交(似乎是我的 entire history)都显示为“未验证”。直到最近,我都非常确定我的所有提交都被标记为已验证,并且这种更改发生在过去几天。但我不知道为什么或如何解决它。

我在设置中的 GPG 密钥列表中有一个有效密钥,那里的密钥 ID 对应于我 .gitconfiguser 部分中的密钥 ID 和使用的 GPG 密钥在我的 git 客户端 (Tower) 中。 .gitconfig 和我的 git 客户端中使用的电子邮件也在我的 GitHub 设置中的 GPG 密钥中的已验证电子邮件列表中。与 GitHub 上的每个提交关联的 GPG 密钥 ID 与 GitHub 设置、我的 git 客户端和我的 git 设置中的有效 GPG 密钥相匹配。

为什么我的所有 GitHub 提交都显示为未验证,尤其是当它们过去显示为已验证时?如何让它们正确显示为已验证?

即使 GitHub GPG UX 显示密钥当前正在使用中,但如果到期日期已延长,可能仍需要使用新导出的密钥更新它。

然而,没有办法简单地更新密钥,并且尝试上传一个更新过期日期的密钥失败,并显示一条消息说密钥已在使用中(令人困惑),唯一的方法是删除首先是现有密钥,但这会遇到一条消息(粗体,不少于):

Any commits you signed with this key will become unverified after removing it.

继续前进并删除现有密钥,然后上传最近导出的密钥(具有任何相关的到期日期延期)并且 - 尽管有可怕的警告 - 提交将再次显示为已验证。

clicking on that 'Unverified' Button shows that "The key that signed this is expired."

不再是,自 2022 年 5 月起:

Improved verification of historic Git commit signatures

GitHub will now verify Git commit signatures and show commits as "Verified" even if their public GPG signing keys are expired or revoked (but not compromised).
You can also upload GPG keys that are expired or revoked to your GitHub user profile.

Using GPG or S/MIME, you can sign Git commits.
These commits are marked "Verified" in GitHub's web interface, giving others confidence that they come from a trusted source because they carry their committer's signature.

GPG keys often expire or are revoked when no longer used.

Previously, when a public GPG key stored in a GitHub user profile was expired or revoked, all commits that had ever been signed with that key would be shown as "Unverified" on GitHub.
That raised unnecessary concern since the commits were validly signed before their key was expired or revoked.

Now, when a user's GPG key expires or is revoked for a reason other than being compromised, GitHub will continue showing commits that were previously signed with that key as "Verified."

You can also upload GPG keys that are expired or revoked.

Besides maintaining trust in commits’ sources, this allows GPG keys to be added or rotated for greater security without losing the “Verified” status of previously signed commits.