When you want to make sure your commits are yours, or you want to make sure only people that are really on your team are the ones making changes. Sign your commits!
These are the steps I took on a mac because I didn’t want to install a bunch of software that I wasn’t going to use.
brew install gpg pinentry-mac
Add the following to your
Create a gpg key (assuming you have at least gpg 2.1.17)
Choose the default RSA, and a key with 4096 length.
Find the id of your key
gpg --list-secret-keys --keyid-format LONG
The id will be right after the rsa4096/ part. Now register the key
git config --global user.signingkey <id_from_above> git config --global commit.gpgsign true
You can test it out by doing
echo test | gpg --clearsign
If it asks for the passphrase, but it isn’t for the keyid you want, add the default-key param
echo test | gpg --clearsign --default-key <id_from_above>
Export the key so you can copy it into github
gpg --armor --export <id_from_above>
Now add pinentry by creating ~/.gpg-agent.conf
You might need to reboot to have this take effect.
Read more here: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work