Managing commit signature verification
You can sign your work locally using GPG or S/MIME. GitHub will verify these signatures so other people will know that your commits come from a trusted source. GitHub will automatically sign commits you make using the GitHub web interface.
About commit signature verification
Using GPG or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub so other people can trust that the changes come from a trusted source.
Checking for existing GPG keys
Before you generate a GPG key, you can check to see if you have any existing GPG keys.
Generating a new GPG key
If you don't have an existing GPG key, you can generate a new GPG key to use for signing commits and tags.
Adding a new GPG key to your GitHub account
To configure your GitHub account to use your new (or existing) GPG key, you'll also need to add it to your GitHub account.
Telling Git about your signing key
To sign commits locally, you need to inform Git that there's a GPG or X.509 key you'd like to use.
Associating an email with your GPG key
Your GPG key must be associated with a GitHub verified email that matches your committer identity.
Signing commits
You can sign commits locally using GPG or S/MIME.
Signing tags
You can sign tags locally using GPG or S/MIME.