GitHub shows „Verified“ on commits signed by authorized GnuPG key. If you enable Vigilant mode, unsigned commits become marked as Unverified.
This is a quick cheatsheet how to create set of signing keys, set git to use it for commits, and add the key to GitHub as authorized key. Should work on Ubuntu/Debian Linux out of the box if you have GnuPG and Git already installed.
For even more secure infrastructure, master key may be moved from computer to hardware key such as YubiKey, GoTrust Idem Key, or bitcoin hardware wallet that supports this such as Trezor, then it may not have expiry date at all, even better the TPMs (Secure elements) of such smart cards may actually even generate the private key on device only and never leak it outside. This master key then creates subkeys which may have shorted lifespan. This is out of scope of this quick guide where both the master and subkeys have 5y validity for simplicity.
Note that both RSA and EC keys including nist-p256 etc and ed25519 may be broken in the future by quantum computers. You can alredy generate hybrid keys including postquantum ciphers on modern GnuPG versions but its support is as of 2026 limited. You may try that by replacing subkey cv25519 string below with e.g. ky1024_cv448 and have hybrid subkey using post-quantum Kyber1024 + regular Curve448 etc. (You need GnuPG 2.5+ for that, so you need tp install newer GnuPG on Ubuntu 24.04 via gnupg apt repo for Ubuntu 24.04 „noble“.)
# master key, may not expire at all if stored on yubikey etc, set passphrase
gpg --quick-generate-key 'Your Name (Signing key) <example@example.com>' ed25519 cert 5y
# (shows fingerprint, copy to KEYFP variable)
export KEYFP=COPY_FINGERPRINT_HERE
# separate subkeys for signing, encryption, authentication, may expire e.g. in 1year and be rotated in needed
gpg --quick-add-key $KEYFP ed25519 sign 5y
gpg --quick-add-key $KEYFP cv25519 encr 5y
gpg --quick-add-key $KEYFP ed25519 auth 5y
# verify
gpg -K
# export public key block for e.g. Github to paste into https://github.com/settings/keys
gpg --armor --export $KEYFP
# export ssh key string to use in authorized_keys for ssh connection if needed
gpg --export-ssh-key
# configure auto-sign all git commits
git config --global user.signingkey $KEYFP
git config --global commit.gpgsign true
