When using GPG to verify your tags and commits, you may need to troubleshoot unexpected issues that may arise.
Before signing commits and tags with GPG, GitHub will confirm that your GPG signatures are cryptographically verifiable using OpenPGP libraries to ensure your signatures can be trusted. You can check the verification status of your commit and tag signatures on GitHub.
When verifying a signature, GitHub checks that the key is not revoked or expired. If your signing key is revoked or expired, GitHub cannot verify your signatures. If your key is revoked, use the primary key or another key that is not revoked to sign your commits.
When verifying a signature, GitHub checks that the committer or tagger email address matches an email address from the GPG key's identities and is a verified email address on the user's account. This ensures that the key belongs to you and that you created the commit or tag.