Businesses and open source projects alike want to be sure that a commit is from a verified source—whether it’s from a developer across the world or a bot that’s integrated into their workflow.
GitHub has supported GPG signature verification for human-authored commits for a while, but bots like Dependabot are becoming an increasingly important part of our workflows. That changes now—bot commit signing has been enabled for all bots by default.
Commit signing allows a user (or bot) to cryptographically vouch for the integrity of the commit, and that they authored it. If a commit or tag has a GPG or S/MIME signature that is cryptographically verifiable, GitHub marks the commit or tag as verified with a big green checkmark ✓.