Create a new key pair
First download GPG Suite to create and store your GPG key passphrase (you don't need to download this app to generate a new key pair, but it makes your life easier -- maybe).
Open GPG Keychain and click New on the top to create a new key pair.
Fill out the form and press Create Key to generate one.
Now right click on your newly created key pair and click Copy.
We'll use this copied key to add a new GPG key on GitHub.
Adding a new GPG key
Navigate to your GitHub account -> Setting -> Access -> SSH and GPG keys and click New GPG Key on the bottom.
Now paste your key here and click Add GPG Key and you're ready to go.
Sigining commits
Use -S flag when committing changes:
1$ git commit -S -m "signing commits :)"
If you get a passphrase is unmatched error, you need to tell git which GPG key you're using.
If succeeded, push your commits.
1$ git push
And check your commits from GitHub repo and you'll see a label Verified attached next to your commit.
If it says Unverified, make sure you've added the right GPG keys from the setting.
Tips
If you want every commits to be a signed commit by default, set commit.gpgsign to be true:
1# local 2 $ git config commit.gpgsign true 3 4 # global 5 $ git config --global commit.gpgsign true