Managing commit signature verification
You can sign your work locally using GPG or S/MIME. GitHub will verify these signatures so other people will know that your commits come from a trusted source. GitHub will automatically sign commits you make using the GitHub web interface.
About commit signature verification→
Using GPG or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub so other people can trust that the changes come from a trusted source.
Checking for existing GPG keys→
Before you generate a GPG key, you can check to see if you have any existing GPG keys.
Generating a new GPG key→
If you don't have an existing GPG key, you can generate a new GPG key to use for signing commits and tags.
Adding a new GPG key to your GitHub account→
To configure your GitHub account to use your new (or existing) GPG key, you'll also need to add it to your GitHub account.
Telling Git about your signing key→
To sign commits locally, you need to inform Git that there's a GPG or X.509 key you'd like to use.
Associating an email with your GPG key→
Your GPG key must be associated with a GitHub verified email that matches your committer identity.
You can sign commits locally using GPG or S/MIME.
You can sign tags locally using GPG or S/MIME.