Use GPG keys to sign your work locally and verify work from trusted collaborators. You can generate a GPG key and add the public key to your GitHub account by following the procedures outlined in this section. GitHub will automatically sign commits you make using the GitHub web interface.
Using GPG, you can sign and verify tags and commits. With GPG keys, tags or commits that you've authored on GitHub are verified and other people can trust that the changes you've made really were made by you.
Before you generate a GPG key, you can check to see if you have any existing GPG keys.
If you don't have an existing GPG key, you can generate a new GPG key to use for signing commits and tags.
To configure your GitHub account to use your new (or existing) GPG key, you'll also need to add it to your GitHub account.
After you've set up your GPG key and added it to your GitHub account, you need to inform Git that there's a GPG key you'd like to use.
Your GPG key must be associated with a GitHub verified email that matches your committer identity.
Once you've set up your GPG key and associated it with your GitHub account and Git, you can sign commits locally. Your commits will show as verified within a pull request on GitHub.
Once you've set up your GPG key and associated it with your GitHub account and Git, you can sign tags.