Using GPG, you can sign and verify tags and commits. With GPG keys, tags or commits that you've authored on GitHub are verified and other people can trust that the changes you've made really were made by you.

When you set up GPG, you'll generate a GPG key and then add the key to your GitHub account. You'll also need to tell Git about your GPG key and associate your GitHub email with your GPG key.

GitHub uses OpenPGP libraries to confirm that your locally signed commits and tags are cryptographically verifiable against a public key you have added to your GitHub account.

GitHub will automatically sign commits you make using the GitHub web interface. These commits will have a verified status on GitHub. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg.

You can check the verification status of your signed commits or tags on GitHub and view why your commit signatures might be unverified. For more information, see "Checking your GPG commit and tag signature verification status."

Further reading