The idea is:
Add a section within the Source Control Settings to:
- Upload a GPG or SSH Signing Key: Allow the n8n instance (or individual users) to store a private key used specifically for signing.
- Configure Signing Identity: Set the name and email associated with the signature.
- Toggle Signing: An option to “Always sign commits” for the connected repository.
My use case:
Our team uses n8n’s Source Control (Environments) to manage workflows across development, staging, and production instances. We use GitHub as our central repository. To maintain a high security posture and comply with internal auditing requirements, our GitHub organization enforces a “Require signed commits” policy on all main and protected branches.
Currently, when we attempt to push changes directly from an n8n environment, the push is rejected by GitHub because the commits are not signed. This forces us to manually pull the changes locally, sign them, and push them back, which defeats the purpose of the built-in “Push to Git” automation in n8n.
I think it would be beneficial to add this because:
- Enterprise Compliance: For many corporations, signed commits are a non-negotiable security requirement (SOC2, ISO 27001). Without this, n8n Environments cannot be fully adopted by enterprise DevOps teams.
- Integrity and Trust: Signed commits ensure that the code/workflow changes truly originated from the authorized n8n instance and haven’t been tampered with.
- Automation Continuity: It removes the manual “middle-man” step of having to sign commits locally, allowing for a seamless “n8n-to-GitHub” sync that respects modern security protocols.
- Visibility: It allows teams to see the “Verified” badge in the GitHub UI, providing clear visual confirmation of the workflow’s provenance.