Notes and References
A GPG key-pair is required for the following:
Signing a Commit:
git commit -S -m "Commit message"
Signing a Tag:
git tag -sm "Tag message" tag_name
git config --global commit.gpgsign true
git config --global tag.gpgsign true
Verifying Signed Commits:
git log --show-signature
Verifying Signed Tags:
git tag -v tag_name
Verifying Signatures when Merging a Branch with Git:
git merge --verify-signatures -S feature-branch # -S is to sign the merge commit, which is automatic if [commit] gpgsign=true is set in .gitconfig
Enforcing Signed Commits on GitHub: