You must sign every code change, in the form of a Git commit, using a GPG key.
How to sign Git commits
Install gpg (or gpg2)
if you have a package manager such as brew or yum, you can just do:
That should be it. Otherwise, download it from here: https://www.gnupg.org/download/. Scroll down to “binary releases”; Mac users select “GnuPG for OSX”; Windows users select “gpg4win”. This will either install ‘gpg’ or ‘gpg2’ on your system. Most of the commands that you’ll see online use the old gpg program so we suggest creating an alias called ‘gpg’ if you got gpg2.
Generate your GPG key
Add your GPG key to your GitHub account Go to (https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/)
Tell Git about your GPG key
Publish your newly-created GPG key
Check Your Key
You can check to see whether the key was sent using the web page at http://pgp.mit.edu or by doing a "dry run" receive of the key:
(Recommended) Set up Automatic Signing
To remove the hassle of always remembering to sign your commits, you can configure Git to sign all your commits automatically as you create them.
(Recommended) Be Prepared in Case Key is Compromised
Store GPG key or create and store revocation certificate
If your GPG key is ever compromised, you'll want to revoke that key. You use your GPG key key to create a revocation certificate. Since your GPG key is encrypted, you can keep a copy and its password. However, in case you lose your key, we recommend making a revocation certificate before you need it. The exact procedure for generating a revocation certificate varies depending on what GPG software you are using. Here's a useful page on creating a revocation certificate. You can use this command:
gpg2 --output revoke.asc --gen-revoke KEYNAME
Make a backup of the revocation certificate and store it securely, for example on non-volatile, removable media.
Revoke your key if it is compromised
If You Lose Your Key and Create a New Key
Do not delete your old key from GitHub while you are in the process of adding the new key; if you do, all of the commits signed using the old key will show as "unverified".
If you did delete it from GitHub, but if you previously published it to the MIT server, you can recover the key from the MIT server and add it back to your GitHub account: on pgp.mit.edu, search using your email ID. This will retrieve all the keys published. Copy the desired key and add it to your Github account.
Sign Your Commits
You are all set! Now you can sign your commits. For the Git commands to sign commits, see https://help.github.com/articles/signing-commits-using-gpg/.
For more information on GPG and Git signatures, see https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work.