Andreas Heigl <andreas@heigl.org> writes:
Am 04.11.16 um 20:15 schrieb Russ Allbery:
GitHub will verify the signatures on tags for you if you upload the PGP public key used to sign the tags to GitHub, and show the signature as verified in their UI. (Of course, that assumes you trust GitHub to do that verification.)
It's a feature from git itself, not github. https://git-scm.com/book/uz/v2/Git-Tools-Signing-Your-Work
It is based on GPG-Keys so there's no central trusted instance which can be a benefit or a curse depending on how you look at it.
You and I are talking about different things. I'm talking about the green "Verified" text on, for example: https://github.com/rra/remctl/tags -- Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>