Using GPG, you can sign and verify tags and commits. With GPG keys, tags or commits that you've authored on GitHub Enterprise are verified and other people can trust that the changes you've made really were made by you.

When you set up GPG, you'll generate a GPG key and then add the key to your GitHub Enterprise account. You'll also need to tell Git about your GPG key and associate your GitHub Enterprise email with your GPG key.

Before signing commits and tags with GPG, GitHub Enterprise will also confirm that your GPG signatures are cryptographically verifiable using OpenPGP libraries to ensure your signatures can be trusted.

You can check the verification status of your GPG commit and tag signature status on GitHub Enterprise and view why your commit signatures might be unverified.

Further reading