No signed commit for "Sync an out of date branch of a fork from the web"

I used this feature: Sync an out of date branch of a fork from the web | GitHub Changelog

it created a merge commit: Merge branch 'django:main' into always-open-field-file-on-access · graingert/django@50efa6b · GitHub

but it wasn’t signed by 4AEE18F83AFDEB23 and I expected it to be

/cc @canuckjacq

I’m not sure what you mean by “signed” here — but I’m assuming you are referring to the commit hash (unique identifier).

Synching an outdated branch will re-play any commits you have added the upstream branch, hence the commits’ hashes will change. Also, depending on the upstream repository settings and strategy regarding merging pull requests (merge, squash, or rebase), synching an outdate branch might involve rebasing it onto the fetched upstream branch (so, even the upstream commits might have changed their original hashes).

By signed I mean GPG/PGP signed.

In this case, the synching feature won’t be able to sign any commits it altered via operations like rebase, merge, etc:

You can now use the web UI to synchronize an out of date branch of a fork with its upstream branch. If there are no merge conflicts between the branches, the fork’s branch is updated either by fast-forwarding or by merging from the upstream’s branch.

GPG signatures are naturally lost due to these operations, and only the original committer can sign them again, since the operation requires his/her private GPG/PGP key and password.

As far as I can remember, GitHub doesn’t handle encryption signatures on the user behalf, and only stores public keys in user accounts.