GitHub Copilot Cloud Agent Now Signs Commits
GitHub CopilotGitHub Copilot's cloud agent now digitally signs every commit it creates, causing agent-authored commits to display as "Verified" on GitHub. This resolves a long-standing blocker: repositories enforcing the "Require signed commits" branch protection rule or ruleset can now fully leverage the Copilot cloud agent without disabling security policies.
Sources & Mentions
2 external resources covering this update
Verified Commit Signing for the Copilot Cloud Agent
GitHub has introduced verified commit signing for the Copilot cloud agent. Every commit the agent authors is now cryptographically signed, and those commits display the familiar green "Verified" badge on GitHub. This change arrives without any configuration requirement — signing happens automatically on every agent-created commit going forward.
Resolving a Long-Standing Branch Protection Blocker
For many teams, the Copilot cloud agent was previously off-limits for repositories protected by the "Require signed commits" branch protection rule or equivalent ruleset. Enabling the agent meant either carving out an exception for Copilot or disabling the security policy entirely — neither of which is acceptable in compliance-conscious organizations.
This update removes that friction entirely. Repositories with strict commit-signing requirements can now enable the Copilot cloud agent without weakening their branch protection posture.
Community-Driven Request
The feature addresses a widely-tracked community request. GitHub discussion #164099, titled "Copilot Agent does not support signing commits with verified signatures", gathered 33 participants and a significant number of upvotes before this fix landed. A companion thread, discussion #173072, tracked the same issue from a slightly different angle. The volume of community interest underlines how important signed-commit compatibility was for enterprise and security-focused teams.
Pairs with the Agent-Logs-Url Trailer
The verified signature complements the Agent-Logs-Url trailer that the Copilot cloud agent appends to its commit messages. Together, the two features provide a complete audit trail: the signature proves the commit came from the trusted Copilot agent, while the logs URL points directly to the session that produced the change. Teams auditing automated contributions now have both cryptographic proof and a human-readable activity log in one commit.
Availability
Verified commit signing is available to all GitHub Copilot plans that include cloud agent access — Pro+, Business, and Enterprise. No opt-in, policy change, or additional configuration is needed.