Problem
When accepting code suggestions from the Vercel Code Review bot on GitHub, the resulting commits are not GPG signed. This blocks adoption for teams that require signed commits as part of their security policies. We are able to get around this by force-pushing squashed commits to the branch but it significantly slows down our team.
Why this matters
Many organizations enforcing SOC 2 compliance require all commits to be cryptographically signed. This is a common security control to ensure code authenticity and traceability. Without GPG signing support, we can’t use the one-click “Apply” feature—we have to manually copy suggestions and commit them locally, which defeats the purpose of the streamlined workflow.
Example
An engineer on the team (with GPG signing key configured) clicked “accept” on the suggestion through the GitHub interface:
Request
Support GPG signing for commits created by Vercel Agent, similar to how other AI coding tools handle this (e.g., Claude’s commit signing).
Cursor had a similar issue: https://forum.cursor.com/t/cursor-agent-signed-commits/119822
EDIT: I think I overwrote some of the back office bot’s changes on accident - tried to add them back but apologies if I missed anything, wasn’t intentional!
