I used the GPG key to sign my Git commit. This is because it’s beneficial to show my commit’s identity and authenticity publicly. The signed commit, appropriately associated with the email registered in GitHub, will get the verified mark in the UI.
But you can use the SSH key to sign the commit alternatively. It’s a better and easier way because most GitHub users already should register their SSH keys to push the code to GitHub. Therefore, we do not need to prepare another key only for signing the Git commit.
First, you tell Git to use the SSH key to sign commits and tags as a default way.
$ git config --global commit.gpgsign true
$ git config --global gpg.format ssh
Second, tet the location of the public key you are using.
$ git config --global user.signingkey /PATH/TO/.SSH/KEY.PUB
At last, please make sure to register this key as a Signing keys
found in the settings. I thought registering the key in Authentication keys
would be enough, but it did not work. Check the Signing keys
section in your GitHub account’s SSH and GPG keys setting.
That’s it. You will see your commit is appropriately verified when you submit some patches into GitHub next time.
See the official document for more detail.
To learn more about the general mechanism and usage of Git, this book will be helpful.