Trigger persistent commit signature verification for your past commits.
GitHub's original commit signature verification was on-demand: each time you viewed a signed commit, GitHub would verify it against the committer's signing keys. This meant if you removed a signing key from your account, every commit signed by that key would retroactively become unverifiable, and gain a scary "Unverified" badge.
In November 2024, GitHub tacitly acknowledged this was silly and introduced persistent commit signature verification. Since then, GitHub caches signature verifications such that once a commit is verified, it stays verified.
However, this only applies to commits pushed after November 2024, or old commits that have been reverified (i.e. viewed) since the feature launched! If you pushed commits prior to December 2024 signed with a key you now want to revoke, and haven't viewed each and every one in the browser or via API since, they don't have persistent verification records yet.
Before removing an old signing key, use this tool to fetch all your commits via the GitHub API, permanently caching their current verification statuses. Then you can safely remove the key and your commits will stay verified.
Verificationator is open source and can be run via browser or CLI.
Install the GitHub App or visit https://verificationator.pages.dev.
Run verificationator.js:
curl https://verificationator.pages.dev/verificationator.js | node
Verificationator code is dedicated to the public domain where possible via CC0-1.0.