[2026-04-02] Copilot coding agent signs its commits (#60480)

Copilot · timrogers · Copilot · web-flow · commit d656500b8509 · 2026-04-02T18:39:26.000Z
Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: timrogers &lt;116134+timrogers@users.noreply.github.com&gt;
Co-authored-by: Tim Rogers &lt;timrogers@github.com&gt;
Co-authored-by: Copilot Autofix powered by AI &lt;175728472+Copilot@users.noreply.github.com&gt;
Co-authored-by: isaacmbrown &lt;isaacmbrown@github.com&gt;
Co-authored-by: Isaac Brown &lt;101839405+isaacmbrown@users.noreply.github.com&gt;
diff --git a/content/copilot/concepts/agents/coding-agent/about-coding-agent.md b/content/copilot/concepts/agents/coding-agent/about-coding-agent.md
@@ -151,7 +151,7 @@ You can customize {% data variables.copilot.copilot_coding_agent %} in a number
 
 ### Limitations in {% data variables.copilot.copilot_coding_agent %}'s compatibility with other features
 
-* **{% data variables.product.prodname_copilot_short %} isn't able to comply with certain rules that may be configured for your repository**. If you have configured a ruleset or branch protection rule that isn't compatible with {% data variables.copilot.copilot_coding_agent %} (for example the "Require signed commits" rule), access to the agent will be blocked. If the rule is configured using rulesets, you can add {% data variables.product.prodname_copilot_short %} as a bypass actor to enable access. See [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#granting-bypass-permissions-for-your-branch-or-tag-ruleset).
+* **{% data variables.product.prodname_copilot_short %} isn't able to comply with certain rules that may be configured for your repository**. If you have configured a ruleset or branch protection rule that isn't compatible with {% data variables.copilot.copilot_coding_agent %}, access to the agent will be blocked. For example, a rule that only allows specific commit authors can prevent {% data variables.copilot.copilot_coding_agent %} from creating or updating pull requests. If the rule is configured using rulesets, you can add {% data variables.product.prodname_copilot_short %} as a bypass actor to enable access. See [AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#granting-bypass-permissions-for-your-branch-or-tag-ruleset).
 * **{% data variables.copilot.copilot_coding_agent %} doesn't account for content exclusions**. Content exclusions allow administrators to configure {% data variables.product.prodname_copilot_short %} to ignore certain files. When using {% data variables.copilot.copilot_coding_agent %}, {% data variables.product.prodname_copilot_short %} will not ignore these files, and will be able to see and update them. See [AUTOTITLE](/copilot/managing-copilot/configuring-and-auditing-content-exclusion/excluding-content-from-github-copilot).
 * **{% data variables.copilot.copilot_coding_agent %} only works with repositories hosted on {% data variables.product.github %}**. If your repository is stored using a different code hosting platform, {% data variables.product.prodname_copilot_short %} won't be able to work on it.
 
diff --git a/content/copilot/concepts/agents/coding-agent/risks-and-mitigations.md b/content/copilot/concepts/agents/coding-agent/risks-and-mitigations.md
@@ -56,3 +56,4 @@ To mitigate this risk, {% data variables.copilot.copilot_coding_agent %} is desi
 * {% data variables.copilot.copilot_coding_agent %}'s commits are authored by {% data variables.product.prodname_copilot_short %}, with the developer who assigned the issue or requested the change to the pull request marked as the co-author. This makes it easier to identify code generated by {% data variables.copilot.copilot_coding_agent %} and who started the task.
 * Session logs and audit log events are available to administrators.
 * The commit message for each agent-authored commit includes a link to the agent session logs, for code review and auditing. See [AUTOTITLE](/copilot/how-tos/use-copilot-agents/coding-agent/track-copilot-sessions).
+* {% data variables.copilot.copilot_coding_agent %}'s commits are signed, so they appear as "Verified" on {% data variables.product.github %}. This provides confidence that the commits were made by {% data variables.copilot.copilot_coding_agent %} and have not been altered.
diff --git a/content/copilot/how-tos/use-copilot-agents/coding-agent/track-copilot-sessions.md b/content/copilot/how-tos/use-copilot-agents/coding-agent/track-copilot-sessions.md
@@ -123,9 +123,11 @@ You can see a list of your running and past pull requests generated by agents in
 
 ## Tracing commits to session logs
 
-Every commit from {% data variables.copilot.copilot_coding_agent %} is authored by {% data variables.product.prodname_copilot_short %}, with the human who started the task marked as the co-author. Each commit message includes a link to the session logs for that commit.
+Commits from {% data variables.copilot.copilot_coding_agent %} have the following characteristics:
 
-This gives you a permanent link from any agent-authored commit back to the full session logs, so you can understand why {% data variables.product.prodname_copilot_short %} made a change during code review or trace it later for auditing purposes.
+* Every commit is authored by {% data variables.product.prodname_copilot_short %}, with the human who started the task marked as the co-author.
+* Each commit message includes a link to the session logs for that commit, so you can understand why {% data variables.product.prodname_copilot_short %} made a change during code review or trace it later for auditing purposes.
+* Commits from {% data variables.copilot.copilot_coding_agent %} are signed and appear as "Verified" on {% data variables.product.github %}.
 
 ## Using the session logs to understand {% data variables.product.prodname_copilot_short %}'s approach
 
diff --git a/content/copilot/responsible-use/copilot-coding-agent.md b/content/copilot/responsible-use/copilot-coding-agent.md
@@ -130,6 +130,8 @@ Its permissions are limited, allowing it to push code and read other resources.
 
 {% data variables.copilot.copilot_coding_agent %}'s commits are authored by {% data variables.product.prodname_copilot_short %}, with the human who started the task marked as the co-author. This makes it easier to identify code generated by the agent and who initiated the task.
 
+{% data variables.copilot.copilot_coding_agent %}'s commits are signed, so they appear as "Verified" on {% data variables.product.github %}. This provides confidence that the commits were made by {% data variables.copilot.copilot_coding_agent %} and have not been altered.
+
 Each commit message includes a link to the agent session logs. This gives you a permanent link from any agent-authored commit to the full session logs, so you can understand why {% data variables.product.prodname_copilot_short %} made a change during code review or trace it later for auditing purposes.
 
 ### Preventing data exfiltration
