Copilot Coding Agent's commits are unsigned, PR merging blocked

[typed-sigterm]

Select Topic Area

Bug

Copilot Feature Area

Copilot Coding Agent

Body

Copilot Coding Agent should push gpg-signed commits, like REST API does, to avoid blocking PR merging.

[whatsupsumit]

Bug:
Copilot Coding Agent pushes Unverified (unsigned) commits, which block merges in repositories that require GPG-signed commits.

Expected:
Copilot Coding Agent should push GPG-signed (Verified) commits, consistent with the REST API behavior.

[poncema4]

Hi @typed-sigterm thanks for reporting this!!

Currently, commits created by the Copilot Coding Agent show up as Unverified because they are not GPG-signed, which can block pull request merges in repositories that require signed commits. The REST API supports GPG-signed commits, so it would make sense for the Copilot Agent to follow the same behavior for consistency and compliance with protected branch rules.

It would be great if the Copilot Agent automatically used the user’s verified GPG key or allowed configuration to sign commits, similar to how git commit -S or API-signed commits work.

This enhancement would help maintain security and integrity standards across repositories that enforce commit verification.

Hope this helps :)

[timsearle]

This is a significant blocker for organizations with org-level signed commits rulesets. The current workarounds don't address several scenarios:

• Org-level ruleset enforcement: The agent can create a PR, but no one can merge it because the commits are unsigned and the ruleset applies organization-wide—there's no repo-level exemption possible.
• Agent commits to your branch: If the agent pushes unsigned commits to a branch you're working on, you'd need to rebase and re-sign every commit before you can push again.
• Main branch contamination: Even if an unsigned commit somehow made it to main, you wouldn't be able to merge main into your feature branch and push it back to the remote—the unsigned commit would block the push.

Other GitHub-owned bots (Dependabot, GitHub Actions) sign their commits. The Copilot coding agent should do the same to be consistent with GitHub's own security practices.