Using GPG, you can sign and verify tags and commits. With GPG keys, tags or commits that you've authored on GitHub Enterprise are verified and other people can trust that the changes you've made really were made by you.

When you set up GPG, you'll generate a GPG key and then add the key to your GitHub Enterprise account. You'll also need to tell Git about your GPG key and associate your GitHub Enterprise email with your GPG key.

GitHub Enterprise uses OpenPGP libraries to confirm that your locally signed commits and tags are cryptographically verifiable against a public key you have added to your GitHub Enterprise account.

You can check the verification status of your signed commits or tags on GitHub Enterprise and view why your commit signatures might be unverified. For more information, see "Checking your GPG commit and tag signature verification status."

Repository administrators can enforce required commit signing on a branch to block all commits that are not signed with a verified GPG key. For more information, see "About required commit signing."

Further reading