Using GPG, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub so other people can trust that the changes come from a trusted source.
In this article:
About commit signature verification
You can sign commits and tags locally, so other people can verify that your work comes from a trusted source. If a commit or tag has a GPG signature that is cryptographically verifiable, GitHub Enterprise marks the commit or tag as verified.
If a commit or tag has a signature that cannot be verified, GitHub Enterprise marks the commit or tag as unverified.
You can check the verification status of your signed commits or tags on GitHub Enterprise and view why your commit signatures might be unverified. For more information, see "Checking your commit and tag signature verification status."
GPG commit signature verification
You can use GPG to sign commits with a GPG key that you generate yourself.
GitHub Enterprise uses OpenPGP libraries to confirm that your locally signed commits and tags are cryptographically verifiable against a public key you have added to your GitHub Enterprise account.
To sign commits using GPG and have those commits verified on GitHub Enterprise, follow these steps:
- Check for existing GPG keys
- Generate a new GPG key
- Add a new GPG key to your GitHub account
- Tell Git about your signing key
- Sign commits
- Sign tags
