PGP (Pretty Good Privacy) is the proprietary (Symantec company) backbone for the OpenPGP standard, used to encrypt files before exchanging them with partners or remote locations, encrypt emails, directories, and disk partitions, so it's a fitting solution for modern cybersecurity needs. It can be used to sign the commits pushed to a Github repository, so Github will mark the commits as verified.

GPG (Gnu Privacy Guard) is an independant FOSS implementation of OpenPGP and can be used to exchange encrypted informations with the later. It is now the most widely used OpenPGP implementation, and even more compliant with the standard than PGP.

Generate and test GPG key

Start a shell a make a GPG key with OpenGPG accordingly to the Github requirements :

$ gpg --default-new-key-algo rsa4096 --gen-key

Important : if you've set Github to keep your personal email addresses private in Settings -> Email, you will need to use the email alias generated by Github. You'll find it on the same page. The alias should look like "62265998+gitusername@users.noreply.github.com".

You can check the generated key :

$ gpg --list-secret-keys --keyid-format=long
/home/user/.gnupg/pubring.kbx
----------------------------
sec   rsa4096/88E6F4A117EF5574 2024-12-31 [SC]
      04A1FBFFC0ACB0FA7045219F88E6F4A117EF5574
uid                 [ultimate] gitusername (GPG key for Github) <62265998+gitusername@users.noreply.github.com>
ssb   rsa4096/12244FF19EB15687 2024-12-31 [E]

Important : the key ID is this example is the string following rsa4096, so 88E6F4A117EF5574. Note it down, it will be used later.

Enable commits signing :

$ git config --global commit.gpgsign true

Set your primary GPG signing key in Git :

git config --global user.signingkey 88E6F4A117EF5574

Some tools tools like Visual Studio Code won't ask for the passphrase and fail. A workaround is to add the following to your .bashrc :

export GPG_TTY=$(tty)

You can test the key is working (should ask for your passphrase) :

$ echo "test" | gpg --clearsign

Configure Github

Still in your shell, make an export of the public GPG key the copy it :

$ gpg --armor --export <key ID>
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGW4CPABEAC4jpOX/mV2dx0RxaqGM6zHU4/vGXkSKH4QLxAlCSdKQl5lmdJh
WKBUAj2YJxU1ZTqH/j9jh3b54IgRtj1yo3NKLGdqhxs45pRrvARgDweX9SmVDgVw
[...]
-----END PGP PUBLIC KEY BLOCK-----

Copy the full output (including the BEGIN and END lines). Then go to Github Settings -> SSH and GPG keys, click New GPG key, paste it and save.

You're done — your next commits will be signed and verified on Github.