My GPG signatures are stored in the git commits themselves, and have nothing to do with GitHub. Anyone can validate them with git-verify-commit(1). They are there to communicate "if you trust my GPG key, you can be certain I made these commits". There is no argument to be made that the signature makes any claim about past or future commits, either.What a confusing article.
No comments yet.