Github now natively supports verifying signed commits, so uhh... why not?
After some experimenting, I signed a commit for a blog entry pretty easy because I've already used Keybase to put my GPG key on the machine I do my authoring on - unfortunately it didn't like my email address (which is email@example.com in the key):
$ git commit -S -m 'Fix typos' gpg: skipped "James Fraser <firstname.lastname@example.org>": secret key not available gpg: signing failed: secret key not available error: gpg failed to sign the data fatal: failed to write commit object
It turns out that's rather easy to fix, if you consult the GPG documentation:
$ gpg --edit-key <keyID> adduid
You simply fill out the form and type "O" for "Okay" and it updates your keyring (passphrase required, naturally). Then commiting with the
-S argument works as expected, and I pushed it to Github.
It shows as "unverified", because they don't have my public key, so I copied and pasted that from Keybase, and it's still unverified... of course, because Keybase don't have the copy of my key with my email in it - so just export that from GPG:
$ gpg --armor --export 'James Fraser'
Paste the output into Github (after deleting the key, because as far as Github is concerned they're duplicates even though they're different) and it shows up as verified. Finally, as mentioned in the Github article about it, I can turn on signing by default, which only suffers from the minor inconvenience of needing my GPG passphrase every time I commit:
$ git config --global commit.gpgsign true