Commits are signed to be able to verify the author of the commit. The ssh key (or username and password) only proves that you are allowed to authenticate against github.
gpg-agent
to~/.gnupg/gpg-agent.conf
Distribution of keys are done using keybase.io. To integrate Keybase, gpg and git follow the instructions here. Upload your own public key to Github. Never share your private key with anyone.
Unsigned commits will be rejected.
When running git log --show-signature
a commit with a signature will look
like this:
commit 4e6af36ca6d285033dd532e66469f273c6b64a37 (HEAD -> a-branch, origin/a-branch)
gpg: Signature made Tue Mar 27 14:11:45 2018 CEST
gpg: using RSA key 0A46826A
gpg: Good signature from "John Doe <john@doe.com>" [complete]
gpg: aka "John Doe <john.doe@work.com>" [complete]
Author: John Doe <john@doe.com>
Date: 20 hours ago
Summarize changes in around 50 characters or less
...