Using GPG, you can sign and verify tags and commits. With GPG keys, tags or commits that you've authored on GitHub are verified and other people can trust that the changes you've made really were made by you.
GitHub uses OpenPGP libraries to confirm that your locally signed commits and tags are cryptographically verifiable against a public key you have added to your GitHub account.
GitHub will automatically sign commits you make using the GitHub web interface. These commits will have a verified status on GitHub. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg.
You can check the verification status of your signed commits or tags on GitHub and view why your commit signatures might be unverified. For more information, see "Checking your GPG commit and tag signature verification status."
Repository administrators can enforce required commit signing on a branch to block all commits that are not signed with a verified GPG key. For more information, see "About required commit signing."