Why do all my GitHub commits show as unverified?

Question

Suddenly, all of my commits (my entire history it seems) in all of my repos show as "unverified". Until quite recently, I'm pretty sure all of my commits were marked as verified, and that this change occurred in the past few days. But I can't figure out why or how to fix it.

I have a valid key in my list of GPG keys in settings, and the Key ID there corresponds to the key ID in the user section of my .gitconfig and to the GPG key used in my git client (Tower). The e-mail used in both .gitconfig and my git client is also among the list of verified e-mails in my GPG key in my GitHub settings. And the GPG key ID associated with each commit on GitHub matches the valid GPG key in GitHub settings, my git client, and my git settings.

Why do all my GitHub commits show as unverified, especially when they used to show as verified? How do I get them to correctly show as verified?

Answer 1

Even though the GitHub GPG UX says the key is currently in use, it may still be necessary to update it with a newly exported key if the expiration date has been extended.

However there is no way to simply update the key, and an attempt to upload one with an updated expiration date fails with a message saying that the key is already in use (confusing), the only path is to delete the existing key first, but this meets with what appears to be a dead end with a message (in bold, no less):

Any commits you signed with this key will become unverified after removing it.

Forge ahead though and delete the existing key and then upload a recently exported one (with any relevant extension to the expiration date) and — dire warning notwithstanding — the commits will show as verified again.

Answer 2

clicking on that 'Unverified' Button shows that "The key that signed this is expired."

Not anymore, since May 2022:

Improved verification of historic Git commit signatures

GitHub will now verify Git commit signatures and show commits as "Verified" even if their public GPG signing keys are expired or revoked (but not compromised).
You can also upload GPG keys that are expired or revoked to your GitHub user profile.

Using GPG or S/MIME, you can sign Git commits.
These commits are marked "Verified" in GitHub's web interface, giving others confidence that they come from a trusted source because they carry their committer's signature.

GPG keys often expire or are revoked when no longer used.

Previously, when a public GPG key stored in a GitHub user profile was expired or revoked, all commits that had ever been signed with that key would be shown as "Unverified" on GitHub.
That raised unnecessary concern since the commits were validly signed before their key was expired or revoked.

Now, when a user's GPG key expires or is revoked for a reason other than being compromised, GitHub will continue showing commits that were previously signed with that key as "Verified."

You can also upload GPG keys that are expired or revoked.

Besides maintaining trust in commits’ sources, this allows GPG keys to be added or rotated for greater security without losing the “Verified” status of previously signed commits.