git-commit-guard 0.19.0__tar.gz → 0.20.0__tar.gz

{git_commit_guard-0.19.0 → git_commit_guard-0.20.0}/.github/workflows/lint-commits.yml

@@ -22,7 +22,7 @@ jobs:
           key: nltk-averaged-perceptron-tagger-punkt
       - name: Lint commits
         # yamllint disable-line rule:line-length
-        uses: benner/commit-guard@8a007fe3ebc1346ec111f7782b26af7e4ca32025  # v0.18.0
+        uses: benner/commit-guard@7704c563540b24bb10394e373e508dc664a7f01f  # v0.19.0
         with:
           range: origin/${{ github.base_ref }}..HEAD
           disable: signature

{git_commit_guard-0.19.0 → git_commit_guard-0.20.0}/.github/workflows/release.yml

@@ -10,6 +10,7 @@ permissions:
 jobs:
   release:
     runs-on: ubuntu-latest
+    environment: pypi
     steps:
       - name: Checkout code
         # yamllint disable-line rule:line-length

{git_commit_guard-0.19.0 → git_commit_guard-0.20.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: git-commit-guard
-Version: 0.19.0
+Version: 0.20.0
 Summary: Opinionated conventional commit message linter with imperative mood detection
 Project-URL: Homepage, https://github.com/benner/commit-guard
 Project-URL: Repository, https://github.com/benner/commit-guard
@@ -98,7 +98,8 @@ Available checks:
 * `imperative` - First word is an imperative verb (for example `add` not `added`)
 * `body` - Blank line separates subject from body, and body is non-empty
 * `signed-off` - `Signed-off-by:` trailer exists
-* `signature` - Verify GPG or SSH signature
+* `signature` - Verify GPG or SSH signature via the GitHub Commits API or
+    public key lookup
 
 ### Subject length
 
@@ -220,6 +221,34 @@ Trailer matching is case-sensitive and requires at least one non-space
 character after the colon (e.g. `Closes: #42`). This check runs
 independently of `--enable`/`--disable`.
 
+### Signature verification
+
+The `signature` check verifies the commit without any local keyring setup:
+
+1. If the repo has a GitHub remote, call the Commits API
+   (`GET /repos/{owner}/{repo}/commits/{sha}`) to resolve the author's GitHub
+   username — this works for corporate emails, noreply addresses, or any email
+   not listed publicly on a GitHub profile.
+2. If the Commits API is unavailable (no GitHub remote, commit not yet pushed,
+   or API error), parse the username directly from a GitHub noreply address
+   (`{id}+{username}@users.noreply.github.com` or
+   `{username}@users.noreply.github.com`) — no API call needed.
+3. If neither of the above resolves a username, fall back to searching GitHub
+   by the commit author's email.
+4. Fetch the resolved user's public keys from `github.com/{username}.gpg` and
+   `github.com/{username}.keys`.
+5. Try GPG verification: import the fetched key into a temporary keyring and
+   run `git verify-commit`.
+6. Try SSH verification: write a temporary `allowed_signers` file and run
+   `git verify-commit` with the SSH allowed-signers config.
+7. If any key verifies, the check passes. If none do, it fails.
+
+If the author cannot be resolved via either method, or the GitHub API is
+unreachable, the check fails with a clear error.
+
+For private repositories, set `GITHUB_TOKEN` or `GH_TOKEN` so the Commits API
+can authenticate.
+
 ### Configuration file
 
 Place `.commit-guard.toml` in your project root (or any parent directory) to
@@ -254,9 +283,11 @@ full precedence and ignore config file values when provided.
 
 ### Environment variables
 
-| Variable                   | Default | Description                                  |
-| -------------------------- | ------- | -------------------------------------------- |
-| `COMMIT_GUARD_GIT_TIMEOUT` | `10`    | Timeout in seconds for git subprocess calls. |
+| Variable                   | Default | Description                                                               |
+| -------------------------- | ------- | ------------------------------------------------------------------------- |
+| `COMMIT_GUARD_GIT_TIMEOUT` | `10`    | Timeout in seconds for git subprocess calls.                              |
+| `GITHUB_TOKEN`             | —       | GitHub token for Commits API access on private repos (signature check).   |
+| `GH_TOKEN`                 | —       | Alias for `GITHUB_TOKEN`; used when `GITHUB_TOKEN` is not set.            |
 
 ```bash
 COMMIT_GUARD_GIT_TIMEOUT=30 commit-guard --range origin/main..HEAD

{git_commit_guard-0.19.0 → git_commit_guard-0.20.0}/README.md

@@ -77,7 +77,8 @@ Available checks:
 * `imperative` - First word is an imperative verb (for example `add` not `added`)
 * `body` - Blank line separates subject from body, and body is non-empty
 * `signed-off` - `Signed-off-by:` trailer exists
-* `signature` - Verify GPG or SSH signature
+* `signature` - Verify GPG or SSH signature via the GitHub Commits API or
+    public key lookup
 
 ### Subject length
 
@@ -199,6 +200,34 @@ Trailer matching is case-sensitive and requires at least one non-space
 character after the colon (e.g. `Closes: #42`). This check runs
 independently of `--enable`/`--disable`.
 
+### Signature verification
+
+The `signature` check verifies the commit without any local keyring setup:
+
+1. If the repo has a GitHub remote, call the Commits API
+   (`GET /repos/{owner}/{repo}/commits/{sha}`) to resolve the author's GitHub
+   username — this works for corporate emails, noreply addresses, or any email
+   not listed publicly on a GitHub profile.
+2. If the Commits API is unavailable (no GitHub remote, commit not yet pushed,
+   or API error), parse the username directly from a GitHub noreply address
+   (`{id}+{username}@users.noreply.github.com` or
+   `{username}@users.noreply.github.com`) — no API call needed.
+3. If neither of the above resolves a username, fall back to searching GitHub
+   by the commit author's email.
+4. Fetch the resolved user's public keys from `github.com/{username}.gpg` and
+   `github.com/{username}.keys`.
+5. Try GPG verification: import the fetched key into a temporary keyring and
+   run `git verify-commit`.
+6. Try SSH verification: write a temporary `allowed_signers` file and run
+   `git verify-commit` with the SSH allowed-signers config.
+7. If any key verifies, the check passes. If none do, it fails.
+
+If the author cannot be resolved via either method, or the GitHub API is
+unreachable, the check fails with a clear error.
+
+For private repositories, set `GITHUB_TOKEN` or `GH_TOKEN` so the Commits API
+can authenticate.
+
 ### Configuration file
 
 Place `.commit-guard.toml` in your project root (or any parent directory) to
@@ -233,9 +262,11 @@ full precedence and ignore config file values when provided.
 
 ### Environment variables
 
-| Variable                   | Default | Description                                  |
-| -------------------------- | ------- | -------------------------------------------- |
-| `COMMIT_GUARD_GIT_TIMEOUT` | `10`    | Timeout in seconds for git subprocess calls. |
+| Variable                   | Default | Description                                                               |
+| -------------------------- | ------- | ------------------------------------------------------------------------- |
+| `COMMIT_GUARD_GIT_TIMEOUT` | `10`    | Timeout in seconds for git subprocess calls.                              |
+| `GITHUB_TOKEN`             | —       | GitHub token for Commits API access on private repos (signature check).   |
+| `GH_TOKEN`                 | —       | Alias for `GITHUB_TOKEN`; used when `GITHUB_TOKEN` is not set.            |
 
 ```bash
 COMMIT_GUARD_GIT_TIMEOUT=30 commit-guard --range origin/main..HEAD

{git_commit_guard-0.19.0 → git_commit_guard-0.20.0}/docs/index.html

@@ -377,7 +377,7 @@ $ echo "fix(auth): add token refresh" | commit-guard</code></pre>
               </tr>
               <tr>
                 <td><code>signature</code></td>
-                <td>GPG or SSH signature is valid</td>
+                <td>GPG or SSH signature is valid — verified via GitHub Commits API or public key lookup</td>
               </tr>
             </tbody>
           </table>
@@ -426,6 +426,39 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
         </p>
         <pre><code class="language-bash">commit-guard --require-trailer "Closes,Reviewed-by"</code></pre>
 
+        <h3>Signature verification</h3>
+        <p>
+          The <code>signature</code> check verifies commits without requiring a
+          pre-configured local keyring:
+        </p>
+        <ol>
+          <li>If the repo has a GitHub remote, call the Commits API
+            (<code>GET /repos/{owner}/{repo}/commits/{sha}</code>) to resolve
+            the author's GitHub username — works for corporate emails, noreply
+            addresses, or any email not listed publicly on a GitHub profile.</li>
+          <li>If the Commits API is unavailable (no GitHub remote, commit not
+            yet pushed, or API error), parse the username directly from a
+            GitHub noreply address
+            (<code>{id}+{username}@users.noreply.github.com</code>) — no API
+            call needed.</li>
+          <li>If neither of the above resolves a username, fall back to
+            searching GitHub by the commit author's email.</li>
+          <li>Fetch the resolved user's public keys from
+            <code>github.com/{username}.gpg</code> and
+            <code>github.com/{username}.keys</code>.</li>
+          <li>Try GPG verification using a temporary keyring.</li>
+          <li>Try SSH verification using a temporary <code>allowed_signers</code> file.</li>
+          <li>Pass if any key verifies; fail if none do.</li>
+        </ol>
+        <p>
+          If the author cannot be resolved via either method, or the GitHub API
+          is unreachable, the check fails with a clear error. For private
+          repositories, set <code>GITHUB_TOKEN</code> or <code>GH_TOKEN</code>
+          so the Commits API can authenticate. Disable the
+          <code>signature</code> check if GitHub API access is unavailable:
+        </p>
+        <pre><code class="language-bash">commit-guard --disable signature</code></pre>
+
         <h3>Range options</h3>
         <p>
           When using <code>--range</code>, merge commits are excluded by
@@ -451,6 +484,16 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
                 <td><code>10</code></td>
                 <td>Timeout in seconds for git subprocess calls</td>
               </tr>
+              <tr>
+                <td><code>GITHUB_TOKEN</code></td>
+                <td>—</td>
+                <td>GitHub token for Commits API access on private repos (signature check)</td>
+              </tr>
+              <tr>
+                <td><code>GH_TOKEN</code></td>
+                <td>—</td>
+                <td>Alias for <code>GITHUB_TOKEN</code>; used when <code>GITHUB_TOKEN</code> is not set</td>
+              </tr>
             </tbody>
           </table>
         </figure>

{git_commit_guard-0.19.0 → git_commit_guard-0.20.0}/src/git_commit_guard/__init__.py

@@ -4,7 +4,10 @@ import os
 import re
 import subprocess
 import sys
+import tempfile
 import tomllib
+import urllib.error
+import urllib.request
 from argparse import ArgumentParser
 from dataclasses import dataclass, field
 from enum import StrEnum
@@ -31,6 +34,10 @@ TYPES = frozenset(
 
 _NON_IMPERATIVE_SUFFIX_RE = re.compile(r"(?:ing|ed)$")
 _TRAILER_RE = re.compile(r"^[\w-]+:\s+\S")
+_GITHUB_REMOTE_RE = re.compile(
+    r"github\.com[:/](?P<owner>[^/]+)/(?P<repo>[^/\s]+?)(?:\.git)?$"
+)
+_NOREPLY_RE = re.compile(r"^(?:\d+\+)?(?P<username>[^@]+)@users\.noreply\.github\.com$")
 
 SUBJECT_RE = re.compile(
     r"^(?P<type>\w+)(?:\((?P<scope>[^)]+)\))?!?:\s+(?P<desc>.+)$",
@@ -256,21 +263,159 @@ def check_required_trailers(message, required, result):
             result.error(f"missing required trailer: {trailer}")
 
 
-def check_signature(rev, result):
-    proc = subprocess.run(  # noqa: S603
-        ["git", "verify-commit", rev],  # noqa: S607
-        capture_output=True,
+def _get_author_email(rev):
+    return subprocess.check_output(  # noqa: S603
+        ["git", "log", "-1", "--format=%ae", rev],  # noqa: S607
         text=True,
-        check=False,
+        stderr=subprocess.PIPE,
         timeout=_git_timeout(),
-    )
-    if proc.returncode != 0:
-        result.error("commit is not signed (GPG/SSH)", check=Check.SIGNATURE)
-        return
+    ).strip()
+
+
+def _get_github_remote_info():
+    try:
+        url = subprocess.check_output(
+            ["git", "remote", "get-url", "origin"],  # noqa: S607 Starting a process with a partial executable path
+            text=True,
+            stderr=subprocess.PIPE,
+            timeout=_git_timeout(),
+        ).strip()
+    except subprocess.CalledProcessError:
+        return None
+    match = _GITHUB_REMOTE_RE.search(url)
+    if not match:
+        return None
+    return match.group("owner"), match.group("repo")
+
+
+def _fetch_github_commit_author(owner, repo, sha):
+    url = f"https://api.github.com/repos/{owner}/{repo}/commits/{sha}"
+    headers = {"Accept": "application/vnd.github+json"}
+    token = os.environ.get("GITHUB_TOKEN") or os.environ.get("GH_TOKEN")
+    if token:
+        headers["Authorization"] = f"Bearer {token}"
+    req = urllib.request.Request(url, headers=headers)  # noqa: S310 Audit URL open for permitted schemes
+    with urllib.request.urlopen(req, timeout=_git_timeout()) as resp:  # noqa: S310 Audit URL open for permitted schemes
+        data = json.loads(resp.read())
+    author = data.get("author")
+    return author["login"] if author else None
+
+
+def _parse_noreply_username(email):
+    match = _NOREPLY_RE.match(email)
+    return match.group("username") if match else None
+
+
+def _fetch_github_username(email):
+    url = f"https://api.github.com/search/users?q={email}+in:email"
+    req = urllib.request.Request(url, headers={"Accept": "application/vnd.github+json"})  # noqa: S310 Audit URL open for permitted schemes
+    with urllib.request.urlopen(req, timeout=_git_timeout()) as resp:  # noqa: S310 Audit URL open for permitted schemes
+        data = json.loads(resp.read())
+    items = data.get("items", [])
+    return items[0]["login"] if items else None
+
+
+def _fetch_url(url):
+    with urllib.request.urlopen(url, timeout=_git_timeout()) as resp:  # noqa: S310
+        return resp.read().decode()
+
 
-    output = proc.stderr.lower()
-    sig_type = "SSH" if "ssh" in output else "GPG"
-    result.info(f"signature type: {sig_type}", check=Check.SIGNATURE)
+def _fetch_github_keys(username):
+    gpg = _fetch_url(f"https://github.com/{username}.gpg")
+    ssh = _fetch_url(f"https://github.com/{username}.keys")
+    return gpg.strip(), ssh.strip()
+
+
+def _verify_gpg(rev, gpg_text):
+    if not gpg_text:
+        return False
+    with tempfile.TemporaryDirectory() as homedir:
+        env = {**os.environ, "GNUPGHOME": homedir}
+        import_proc = subprocess.run(
+            ["gpg", "--batch", "--import"],  # noqa: S607
+            input=gpg_text,
+            text=True,
+            capture_output=True,
+            env=env,
+            check=False,
+        )
+        if import_proc.returncode != 0:
+            return False
+        verify_proc = subprocess.run(  # noqa: S603
+            ["git", "-c", "gpg.ssh.allowedSignersFile=/dev/null", "verify-commit", rev],  # noqa: S607
+            capture_output=True,
+            text=True,
+            env=env,
+            check=False,
+            timeout=_git_timeout(),
+        )
+        return verify_proc.returncode == 0
+
+
+def _verify_ssh(rev, email, ssh_text):
+    if not ssh_text:
+        return False
+    with tempfile.NamedTemporaryFile(
+        mode="w", suffix=".allowedSigners", delete=False
+    ) as f:
+        for raw_line in ssh_text.splitlines():
+            stripped = raw_line.strip()
+            if stripped:
+                f.write(f"{email} {stripped}\n")
+        signers_path = f.name
+    try:
+        proc = subprocess.run(  # noqa: S603
+            [  # noqa: S607
+                "git",
+                "-c",
+                "gpg.format=ssh",
+                "-c",
+                f"gpg.ssh.allowedSignersFile={signers_path}",
+                "verify-commit",
+                rev,
+            ],
+            capture_output=True,
+            text=True,
+            check=False,
+            timeout=_git_timeout(),
+        )
+        return proc.returncode == 0
+    finally:
+        Path(signers_path).unlink(missing_ok=True)
+
+
+def check_signature(rev, result):
+    try:
+        email = _get_author_email(rev)
+        username = None
+        remote = _get_github_remote_info()
+        if remote:
+            owner, repo = remote
+            with contextlib.suppress(urllib.error.URLError, TimeoutError):
+                username = _fetch_github_commit_author(owner, repo, rev)
+        if username is None:
+            username = _parse_noreply_username(email)
+        if username is None:
+            username = _fetch_github_username(email)
+        if username is None:
+            result.error(
+                "commit author not found on GitHub — cannot verify signature",
+                check=Check.SIGNATURE,
+            )
+            return
+        gpg_text, ssh_text = _fetch_github_keys(username)
+        if _verify_gpg(rev, gpg_text):
+            result.info("signature type: GPG", check=Check.SIGNATURE)
+            return
+        if _verify_ssh(rev, email, ssh_text):
+            result.info("signature type: SSH", check=Check.SIGNATURE)
+            return
+        result.error("commit is not signed (GPG/SSH)", check=Check.SIGNATURE)
+    except (urllib.error.URLError, TimeoutError):
+        result.error(
+            "GitHub API unreachable — cannot verify signature",
+            check=Check.SIGNATURE,
+        )
 
 
 def _get_message(rev):

{git_commit_guard-0.19.0 → git_commit_guard-0.20.0}/tests/test_git_commit_guard.py

@@ -1,6 +1,8 @@
 import json
+import os
 import re
 import subprocess
+import urllib.error
 from argparse import ArgumentParser, Namespace
 from unittest.mock import MagicMock, patch
 
@@ -13,12 +15,19 @@ from git_commit_guard import (
     Result,
     _download_if_missing,
     _ensure_nltk_data,
+    _fetch_github_commit_author,
+    _fetch_github_keys,
+    _fetch_github_username,
+    _fetch_url,
+    _get_author_email,
+    _get_github_remote_info,
     _get_message,
     _get_range_revs,
     _git_timeout,
     _load_config,
     _parse_checks,
     _parse_config_checks,
+    _parse_noreply_username,
     _report_jsonl,
     _report_text,
     _resolve_max_subject_length,
@@ -29,6 +38,8 @@ from git_commit_guard import (
     _resolve_subject_pattern,
     _resolve_types,
     _strip_comments,
+    _verify_gpg,
+    _verify_ssh,
     check_body,
     check_imperative,
     check_required_trailers,
@@ -540,30 +551,404 @@ class TestDownloadIfMissing:
         mock_dl.assert_called_once_with("punkt_tab", quiet=True)
 
 
-class TestCheckSignature:
-    def test_unsigned_commit(self):
-        r = Result()
+class TestGetAuthorEmail:
+    def test_returns_stripped_email(self):
+        with patch(
+            "git_commit_guard.subprocess.check_output",
+            return_value="user@example.com\n",
+        ):
+            assert _get_author_email("abc123") == "user@example.com"
+
+
+class TestFetchUrl:
+    def test_returns_decoded_content(self):
+        mock_resp = MagicMock()
+        mock_resp.__enter__ = lambda s: s
+        mock_resp.__exit__ = MagicMock(return_value=False)
+        mock_resp.read.return_value = b"key data"
+        with patch("git_commit_guard.urllib.request.urlopen", return_value=mock_resp):
+            assert _fetch_url("https://github.com/user.keys") == "key data"
+
+
+class TestParseNoreplyUsername:
+    def test_id_plus_username_format(self):
+        assert (
+            _parse_noreply_username("12345678+alice@users.noreply.github.com")
+            == "alice"
+        )
+
+    def test_plain_username_format(self):
+        assert _parse_noreply_username("alice@users.noreply.github.com") == "alice"
+
+    def test_regular_email_returns_none(self):
+        assert _parse_noreply_username("alice@example.com") is None
+
+    def test_wrong_domain_returns_none(self):
+        assert _parse_noreply_username("alice@users.noreply.gitlab.com") is None
+
+
+class TestFetchGithubUsername:
+    def _mock_response(self, data):
+        mock_resp = MagicMock()
+        mock_resp.__enter__ = lambda s: s
+        mock_resp.__exit__ = MagicMock(return_value=False)
+        mock_resp.read.return_value = json.dumps(data).encode()
+        return mock_resp
+
+    def test_found_returns_login(self):
+        resp = self._mock_response({"items": [{"login": "testuser"}]})
+        with patch("git_commit_guard.urllib.request.urlopen", return_value=resp):
+            assert _fetch_github_username("test@example.com") == "testuser"
+
+    def test_not_found_returns_none(self):
+        resp = self._mock_response({"items": []})
+        with patch("git_commit_guard.urllib.request.urlopen", return_value=resp):
+            assert _fetch_github_username("unknown@example.com") is None
+
+
+class TestGetGithubRemoteInfo:
+    def test_https_url_returns_owner_repo(self):
+        with patch(
+            "git_commit_guard.subprocess.check_output",
+            return_value="https://github.com/owner/repo.git\n",
+        ):
+            assert _get_github_remote_info() == ("owner", "repo")
+
+    def test_ssh_url_returns_owner_repo(self):
+        with patch(
+            "git_commit_guard.subprocess.check_output",
+            return_value="git@github.com:owner/repo.git\n",
+        ):
+            assert _get_github_remote_info() == ("owner", "repo")
+
+    def test_https_url_without_git_suffix(self):
+        with patch(
+            "git_commit_guard.subprocess.check_output",
+            return_value="https://github.com/owner/repo\n",
+        ):
+            assert _get_github_remote_info() == ("owner", "repo")
+
+    def test_no_remote_returns_none(self):
+        err = subprocess.CalledProcessError(128, "git")
+        err.stderr = "fatal: No such remote 'origin'"
+        with patch("git_commit_guard.subprocess.check_output", side_effect=err):
+            assert _get_github_remote_info() is None
+
+    def test_non_github_remote_returns_none(self):
+        with patch(
+            "git_commit_guard.subprocess.check_output",
+            return_value="https://gitlab.com/owner/repo.git\n",
+        ):
+            assert _get_github_remote_info() is None
+
+
+class TestFetchGithubCommitAuthor:
+    def _mock_response(self, data):
+        mock_resp = MagicMock()
+        mock_resp.__enter__ = lambda s: s
+        mock_resp.__exit__ = MagicMock(return_value=False)
+        mock_resp.read.return_value = json.dumps(data).encode()
+        return mock_resp
+
+    def test_returns_author_login(self):
+        resp = self._mock_response({"author": {"login": "commituser"}})
+        with patch("git_commit_guard.urllib.request.urlopen", return_value=resp):
+            assert (
+                _fetch_github_commit_author("owner", "repo", "abc123") == "commituser"
+            )
+
+    def test_null_author_returns_none(self):
+        resp = self._mock_response({"author": None})
+        with patch("git_commit_guard.urllib.request.urlopen", return_value=resp):
+            assert _fetch_github_commit_author("owner", "repo", "abc123") is None
+
+    def test_github_token_sent_in_header(self):
+        resp = self._mock_response({"author": {"login": "user"}})
+        captured = []
+
+        def mock_urlopen(req, **_):
+            captured.append(req)
+            return resp
+
+        with (
+            patch("git_commit_guard.urllib.request.urlopen", side_effect=mock_urlopen),
+            patch.dict("os.environ", {"GITHUB_TOKEN": "mytoken"}, clear=False),
+        ):
+            _fetch_github_commit_author("owner", "repo", "abc123")
+        assert captured[0].get_header("Authorization") == "Bearer mytoken"
+
+    def test_gh_token_used_when_github_token_absent(self):
+        resp = self._mock_response({"author": {"login": "user"}})
+        captured = []
+
+        def mock_urlopen(req, **_):
+            captured.append(req)
+            return resp
+
+        env = {k: v for k, v in os.environ.items() if k != "GITHUB_TOKEN"}
+        env["GH_TOKEN"] = "ghtoken"  # noqa: S105 Possible hardcoded password assigned to: "GH_TOKEN"
+        with (
+            patch("git_commit_guard.urllib.request.urlopen", side_effect=mock_urlopen),
+            patch.dict("os.environ", env, clear=True),
+        ):
+            _fetch_github_commit_author("owner", "repo", "abc123")
+        assert captured[0].get_header("Authorization") == "Bearer ghtoken"
+
+
+class TestFetchGithubKeys:
+    def test_returns_gpg_and_ssh(self):
+        with patch(
+            "git_commit_guard._fetch_url", side_effect=["GPG KEY\n", "SSH KEY\n"]
+        ):
+            gpg, ssh = _fetch_github_keys("testuser")
+        assert gpg == "GPG KEY"
+        assert ssh == "SSH KEY"
+
+
+class TestVerifyGpg:
+    def test_empty_gpg_returns_false(self):
+        assert _verify_gpg("abc123", "") is False
+
+    def test_import_failure_returns_false(self):
         proc = MagicMock(returncode=1)
         with patch("git_commit_guard.subprocess.run", return_value=proc):
-            check_signature("abc123", r)
-        assert not r.ok
+            assert _verify_gpg("abc123", "gpg key data") is False
 
-    def test_gpg_signed_commit(self):
-        r = Result()
-        proc = MagicMock(returncode=0, stderr="gpg signature verified")
+    def test_verify_success_returns_true(self):
+        import_proc = MagicMock(returncode=0)
+        verify_proc = MagicMock(returncode=0)
+        with patch(
+            "git_commit_guard.subprocess.run", side_effect=[import_proc, verify_proc]
+        ) as mock_run:
+            assert _verify_gpg("abc123", "gpg key data") is True
+        verify_cmd = mock_run.call_args_list[1][0][0]
+        assert "gpg.ssh.allowedSignersFile=/dev/null" in verify_cmd
+
+    def test_verify_failure_returns_false(self):
+        import_proc = MagicMock(returncode=0)
+        verify_proc = MagicMock(returncode=1)
+        with patch(
+            "git_commit_guard.subprocess.run", side_effect=[import_proc, verify_proc]
+        ):
+            assert _verify_gpg("abc123", "gpg key data") is False
+
+
+class TestVerifySSH:
+    def test_empty_ssh_returns_false(self):
+        assert _verify_ssh("abc123", "user@example.com", "") is False
+
+    def test_verify_success_returns_true(self):
+        proc = MagicMock(returncode=0)
+        with patch("git_commit_guard.subprocess.run", return_value=proc) as mock_run:
+            assert (
+                _verify_ssh("abc123", "user@example.com", "ssh-ed25519 AAAA...") is True
+            )
+        verify_cmd = mock_run.call_args[0][0]
+        assert "-c" in verify_cmd
+        assert "gpg.format=ssh" in verify_cmd
+
+    def test_verify_failure_returns_false(self):
+        proc = MagicMock(returncode=1)
         with patch("git_commit_guard.subprocess.run", return_value=proc):
+            assert (
+                _verify_ssh("abc123", "user@example.com", "ssh-ed25519 AAAA...")
+                is False
+            )
+
+
+class TestCheckSignature:
+    def test_gpg_verified_via_github(self):
+        r = Result()
+        with (
+            patch(
+                "git_commit_guard._get_author_email", return_value="user@example.com"
+            ),
+            patch("git_commit_guard._get_github_remote_info", return_value=None),
+            patch("git_commit_guard._fetch_github_username", return_value="testuser"),
+            patch("git_commit_guard._fetch_github_keys", return_value=("GPG KEY", "")),
+            patch("git_commit_guard._verify_gpg", return_value=True),
+        ):
             check_signature("abc123", r)
         assert r.ok
         assert any("GPG" in msg for _, _, msg in r.errors)
 
-    def test_ssh_signed_commit(self):
+    def test_ssh_verified_via_github(self):
         r = Result()
-        proc = MagicMock(returncode=0, stderr="Good ssh signature")
-        with patch("git_commit_guard.subprocess.run", return_value=proc):
+        with (
+            patch(
+                "git_commit_guard._get_author_email", return_value="user@example.com"
+            ),
+            patch("git_commit_guard._get_github_remote_info", return_value=None),
+            patch("git_commit_guard._fetch_github_username", return_value="testuser"),
+            patch("git_commit_guard._fetch_github_keys", return_value=("", "SSH KEY")),
+            patch("git_commit_guard._verify_gpg", return_value=False),
+            patch("git_commit_guard._verify_ssh", return_value=True),
+        ):
             check_signature("abc123", r)
         assert r.ok
         assert any("SSH" in msg for _, _, msg in r.errors)
 
+    def test_no_matching_key_fails(self):
+        r = Result()
+        with (
+            patch(
+                "git_commit_guard._get_author_email", return_value="user@example.com"
+            ),
+            patch("git_commit_guard._get_github_remote_info", return_value=None),
+            patch("git_commit_guard._fetch_github_username", return_value="testuser"),
+            patch("git_commit_guard._fetch_github_keys", return_value=("GPG", "SSH")),
+            patch("git_commit_guard._verify_gpg", return_value=False),
+            patch("git_commit_guard._verify_ssh", return_value=False),
+        ):
+            check_signature("abc123", r)
+        assert not r.ok
+
+    def test_username_not_found_fails(self):
+        r = Result()
+        with (
+            patch(
+                "git_commit_guard._get_author_email", return_value="user@example.com"
+            ),
+            patch("git_commit_guard._get_github_remote_info", return_value=None),
+            patch("git_commit_guard._fetch_github_username", return_value=None),
+        ):
+            check_signature("abc123", r)
+        assert not r.ok
+        assert any("not found on GitHub" in msg for _, _, msg in r.errors)
+
+    def test_url_error_fails(self):
+        r = Result()
+        with patch(
+            "git_commit_guard._get_author_email",
+            side_effect=urllib.error.URLError("unreachable"),
+        ):
+            check_signature("abc123", r)
+        assert not r.ok
+        assert any("API unreachable" in msg for _, _, msg in r.errors)
+
+    def test_timeout_error_fails(self):
+        r = Result()
+        with patch("git_commit_guard._get_author_email", side_effect=TimeoutError()):
+            check_signature("abc123", r)
+        assert not r.ok
+        assert any("API unreachable" in msg for _, _, msg in r.errors)
+
+    def test_commits_api_resolves_username(self):
+        r = Result()
+        with (
+            patch(
+                "git_commit_guard._get_author_email", return_value="corp@example.com"
+            ),
+            patch(
+                "git_commit_guard._get_github_remote_info",
+                return_value=("owner", "repo"),
+            ),
+            patch(
+                "git_commit_guard._fetch_github_commit_author", return_value="corpuser"
+            ),
+            patch("git_commit_guard._fetch_github_username") as mock_email_search,
+            patch("git_commit_guard._fetch_github_keys", return_value=("GPG KEY", "")),
+            patch("git_commit_guard._verify_gpg", return_value=True),
+        ):
+            check_signature("abc123", r)
+        assert r.ok
+        mock_email_search.assert_not_called()
+
+    def test_commits_api_error_falls_back_to_email_search(self):
+        r = Result()
+        with (
+            patch(
+                "git_commit_guard._get_author_email", return_value="corp@example.com"
+            ),
+            patch(
+                "git_commit_guard._get_github_remote_info",
+                return_value=("owner", "repo"),
+            ),
+            patch(
+                "git_commit_guard._fetch_github_commit_author",
+                side_effect=urllib.error.URLError("not found"),
+            ),
+            patch("git_commit_guard._fetch_github_username", return_value="emailuser"),
+            patch("git_commit_guard._fetch_github_keys", return_value=("GPG KEY", "")),
+            patch("git_commit_guard._verify_gpg", return_value=True),
+        ):
+            check_signature("abc123", r)
+        assert r.ok
+
+    def test_commits_api_null_author_falls_back_to_email_search(self):
+        r = Result()
+        with (
+            patch(
+                "git_commit_guard._get_author_email", return_value="user@example.com"
+            ),
+            patch(
+                "git_commit_guard._get_github_remote_info",
+                return_value=("owner", "repo"),
+            ),
+            patch("git_commit_guard._fetch_github_commit_author", return_value=None),
+            patch("git_commit_guard._fetch_github_username", return_value="emailuser"),
+            patch("git_commit_guard._fetch_github_keys", return_value=("", "SSH KEY")),
+            patch("git_commit_guard._verify_gpg", return_value=False),
+            patch("git_commit_guard._verify_ssh", return_value=True),
+        ):
+            check_signature("abc123", r)
+        assert r.ok
+
+    def test_no_github_remote_uses_email_search(self):
+        r = Result()
+        with (
+            patch(
+                "git_commit_guard._get_author_email", return_value="user@example.com"
+            ),
+            patch("git_commit_guard._get_github_remote_info", return_value=None),
+            patch("git_commit_guard._fetch_github_commit_author") as mock_commits_api,
+            patch("git_commit_guard._fetch_github_username", return_value="emailuser"),
+            patch("git_commit_guard._fetch_github_keys", return_value=("GPG KEY", "")),
+            patch("git_commit_guard._verify_gpg", return_value=True),
+        ):
+            check_signature("abc123", r)
+        assert r.ok
+        mock_commits_api.assert_not_called()
+
+    def test_noreply_email_skips_email_search(self):
+        r = Result()
+        with (
+            patch(
+                "git_commit_guard._get_author_email",
+                return_value="12345678+alice@users.noreply.github.com",
+            ),
+            patch("git_commit_guard._get_github_remote_info", return_value=None),
+            patch("git_commit_guard._fetch_github_username") as mock_email_search,
+            patch("git_commit_guard._fetch_github_keys", return_value=("GPG KEY", "")),
+            patch("git_commit_guard._verify_gpg", return_value=True),
+        ):
+            check_signature("abc123", r)
+        assert r.ok
+        mock_email_search.assert_not_called()
+
+    def test_noreply_fallback_after_commits_api_failure(self):
+        r = Result()
+        with (
+            patch(
+                "git_commit_guard._get_author_email",
+                return_value="12345678+alice@users.noreply.github.com",
+            ),
+            patch(
+                "git_commit_guard._get_github_remote_info",
+                return_value=("owner", "repo"),
+            ),
+            patch(
+                "git_commit_guard._fetch_github_commit_author",
+                side_effect=urllib.error.URLError("not found"),
+            ),
+            patch("git_commit_guard._fetch_github_username") as mock_email_search,
+            patch("git_commit_guard._fetch_github_keys", return_value=("GPG KEY", "")),
+            patch("git_commit_guard._verify_gpg", return_value=True),
+        ):
+            check_signature("abc123", r)
+        assert r.ok
+        mock_email_search.assert_not_called()
+
 
 class TestGetMessage:
     def test_success(self):
@@ -929,11 +1314,16 @@ class TestMain:
             assert main() == 0
 
     def test_signature_with_rev(self):
-        proc = MagicMock(returncode=0, stderr="gpg signature verified")
         with (
             patch("sys.argv", ["cg", "abc123", "--enable", "signature"]),
             patch("git_commit_guard._get_message", return_value=_VALID_MSG),
-            patch("git_commit_guard.subprocess.run", return_value=proc),
+            patch(
+                "git_commit_guard._get_author_email", return_value="user@example.com"
+            ),
+            patch("git_commit_guard._get_github_remote_info", return_value=None),
+            patch("git_commit_guard._fetch_github_username", return_value="testuser"),
+            patch("git_commit_guard._fetch_github_keys", return_value=("GPG KEY", "")),
+            patch("git_commit_guard._verify_gpg", return_value=True),
         ):
             assert main() == 0