GraphQL createCommitOnBranch is unverified - How do I make it verified?

[rashelle-hopkins-cb]

Select Topic Area

Question

Body

Hello, I am creating a GitHub app in Enterprise. My app utilizes the GitHub GraphQL and REST API to create a commit and PR.

According to the GitHub docs, creating a commit with the createCommitOnBranch mutation: "[is] automatically signed by GitHub if supported and will be marked as verified in the user interface."

Using the GitHub app web application flow, users are successfully authenticated and a PR is created on their behalf. However, the commit does not appear as verified. My own manually created commits appear as verified, but not the ones made through the GitHub app.

I searched the docs and general internet and can't find what the meaning of "if supported" from the first link means. I do not see any setting for enabling GitHub app verification. I also tried enabling GPG key permissions, among others, and commit signing still does not work. I can only find articles that say that this should work automatically.

My query looks like so, with the capitalized text replaced by actual values:

{
  "query": "mutation ($input: CreateCommitOnBranchInput!) {createCommitOnBranch(input: $input) { commit { url } }}",
  "variables": {
    "input": {
      "branch": {
        "repositoryNameWithOwner": "REPOOWNER/REPONAME",
        "branchName": "BRANCHNAME"
      },
      "expectedHeadOid": "OID",
      "message": {"headline": "MESSAGE"},
      "fileChanges": {
        "additions": [{
          "path": "PATH.yml",
          "contents": "CONTENTS"
        }]
      }
    }
  }
}

If anyone can assist me with ensuring commits are verified, or can help lead me in the right direction, I would greatly appreciate that. Thank you.

[mcintyre321]

Did you find an answer to this?

I wonder if Web Commit Signing needs to be enabled.

[rashelle-hopkins-cb]

Yes, turns out that was the case. Thank you!