Signing GitHub Commits with a GPG Key

Did you know that you can easily sign your GitHub commits with a GPG key?

Simply add the parameter -S to your git command:

git commit -S -m your message

The result will look like this:

List of commits inside a pull request

Popup when clicking on the “Verified” button

Now, you might ask yourself: Why should I care about signing my GitHub commits? GitHub allows to set the name and e-mail address of a commit’s author by configuration. This means that anyone could potentially use your e-mail address to commit changes to a repository. Signing your commits with a GPG key will verify you as the genuine author and thereby prevent abuse of your e-mail address and accordingly your identity.

A more detailed explanation on how to add a GPG key to your GitHub account can be found here.