Somebody please explain to me: What's the point in signing on github when I can set the key on github itself (e.g. account gets compromised). A simple flag (on github's server) that is showing that my email on commit is the same as on the account would also do the job. What if my key is compromised and set a new one on github? What happens with my old signed commits?
Another question: We are mostly no airplane mechanics which need to sign everything of our work. Why would you give up deniability of doing something (with your signed key) without thinking about the consequences? I'm thinking of legal cases here (hey you signed your commit!).
Github can't verify you actually committed a change unless it's signed. You can set whatever email address you want on any commit.
They could verify who pushed it to github, since that action is authenticated, but restricting pushing other people's commits would break many workflows (eg, a bot pushing from a local git server), or a reviewer pushing code sent to a mailing list, or resolving conflicts in a merge locally.
You can also verify the GPG key independently of Github. Perhaps your CI system could verify all commits it builds are signed, and your deployment system could too. There's no need to use Github as the authoritative source for that sort of thing.
