Verify GitHub commit signatures

The project's branch policy is configured to necessitate the use of Git signed commits for any merging activities. This policy serves a twofold purpose: firstly, it validates the authenticity of changes and acts as a barrier against unauthorised or malevolent alterations to the codebase.

Secondly, it provides assurance of code integrity by demonstrating that changes have remained unaltered throughout transit and subsequent commits. During the evaluation of pull requests or merge requests, the presence of signed commits also offers a reliable means to confirm that the proposed changes have been authored by authorised contributors, thereby reducing the likelihood of unintentionally accepting unauthorised code.

To use signed commits, developers must generate a GPG (GNU Privacy Guard) key pair, which includes a private key kept secret and a public key that is shared. Commits are then signed using the private key, and others can verify the commits using the corresponding public key.

Generate New GPG Key

Please refer the following link. Please make sure the email you enter in step 8 is your github email account https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key

Adding a GPG Key on Github

• In the upper-right corner, click your profile photo, then click Settings.

• In the "Access" section of the sidebar, click SSH and GPG keys.
• Next to the "GPG keys" header, click New GPG key.
• In the "Title" field, type a name for your GPG key.
• In the "Key" field, paste the GPG key you copied when you generated your GPG key.
• Click Add GPG key.
• To confirm the action, authenticate to your GitHub account.

Further support and information

https://docs.github.com/en/authentication/managing-commit-signature-verification

Signing commits using WSL

1. Generate new gpg key
2. Adding a pgp key to your github account
3. telling git about your signing key
4. Still having problems committing try this?
5. Signing old commits