To sign commits associated with your account on GitHub AE, you can add a public GPG key to your personal account. Before you add a key, you should check for existing keys. If you don't find any existing keys, you can generate and copy a new key. For more information, see "Checking for existing GPG keys" and "Generating a new GPG key."
You can add multiple public keys to your account on GitHub AE. Commits signed by any of the corresponding private keys will show as verified. If you remove a public key, any commits signed by the corresponding private key will no longer show as verified.
GitHub AE supports several GPG key algorithms. If you try to add a key generated with an unsupported algorithm, you may encounter an error.
When verifying a signature, GitHub AE extracts the signature and attempts to parse its key ID. The key ID is then matched with keys added to GitHub AE. Until a matching GPG key is added to GitHub AE, it cannot verify your signatures.
In the upper-right corner of any page, click your profile photo, then click Settings.
In the user settings sidebar, click SSH and GPG keys.
Click New GPG key.
In the "Key" field, paste the GPG key you copied when you generated your GPG key.
Click Add GPG key.
To confirm the action, enter your GitHub AE password.
When verifying a signature, GitHub AE checks that the key is not revoked or expired. If your signing key is revoked or expired, GitHub AE cannot verify your signatures.
If your key is expired, you must update its expiration, export the new key, delete the expired key in your account on GitHub AE, and add the new key to your account as described above. Your previous commits and tags will show as verified, as long as the key meets all other verification requirements.
If your key is revoked, use the primary key or another key that is not revoked to sign your commits.
If your key is invalid and you don't use another valid key in your key set, but instead generate a new GPG key with a new set of credentials, then your commits made with the revoked or expired key will continue to show as unverified. Also, your new credentials will not be able to re-sign or verify your old commits and tags.