GPG keys are a way to sign and verify work from trusted collaborators. You can generate a GPG key and add the public key to your GitHub account by following the procedures outlined in this section.

About GPG

Using GPG, you can sign and verify tags and commits. With GPG keys, tags or commits that you've authored on GitHub are verified and other people can trust that the changes you've made really were made by you.

Checking for existing GPG keys

Before you generate a GPG key, you can check to see if you have any existing GPG keys.

Generating a new GPG key

If you don't have an existing GPG key, you can generate a new GPG key to use for signing commits and tags.

Adding a new GPG key to your GitHub account

To configure your GitHub account to use your new (or existing) GPG key, you'll also need to add it to your GitHub account.

Telling Git about your GPG key

After you've set up your GPG key and added it to your GitHub account, you need to inform Git that there's a GPG key you'd like to use.

Associating an email with your GPG key

Your GPG key must be associated with a GitHub verified email that matches your committer identity.

Signing commits using GPG

Once you've set up your GPG key and associated it with your GitHub account and Git, you can sign commits. Your commits will show as verified within a pull request on GitHub.

Signing tags using GPG

Once you've set up your GPG key and associated it with your GitHub account and Git, you can sign tags.