Before signing commits and tags with GPG, GitHub will confirm that your GPG signatures are cryptographically verifiable using OpenPGP libraries to ensure your signatures can be trusted. You can check the verification status of your commit and tag signatures on GitHub.

Checking your GPG commit signature verification status

  1. On GitHub, navigate to your pull request.
  2. On the pull request, click Commits. Commits tab on a pull request

  3. Next to your commit's abbreviated commit hash, there is a box that shows whether your commit signature is verified or unverified. Signed commit

  4. To view more detailed information about the commit signature, click Verified or Unverified. Verified signed commit

If your commit signature is unverified, you can learn more about why by clicking the Unverified box. Unverified signed commit

Checking your GPG tag signature verification status

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Releases. Releases tab

  3. At the top of the Releases page, click Tags. Tags page

  4. Next to your tag description, there is a box that shows whether your tag signature is verified or unverified. verified tag signature
  5. To view more detailed information about the tag signature, click Verified or Unverified. If your tag signature is unverified, you can learn more about why by clicking the Unverified box. Verified signed tag

Further reading