Using GPG, you can sign and verify tags and commits. With GPG keys, tags or commits that you've authored on GitHub are verified and other people can trust that the changes you've made really were made by you.

When you set up GPG, you'll generate a GPG key and then add the key to your GitHub account. You'll also need to tell Git about your GPG key and associate your GitHub email with your GPG key.

Before signing commits and tags with GPG, GitHub will also confirm that your GPG signatures are cryptographically verifiable using OpenPGP libraries to ensure your signatures can be trusted.

You can check the verification status of your GPG commit and tag signature status on GitHub and view why your commit signatures might be unverified.

Further reading