SSH keys are awesome but those only prove your identity to the SSH server. When you're pushing to a git repository you're allowed to push changes from other people. And that means anyone with push access to a repository can push commits authored as anyone else. By signing commits authors prove that the commit was made by them. Thus if you see unsigned commits in a repository you can't be sure those were in fact commited by that person.
You need:
- git
- gpg
Steps:
- create a gpg key pair or skip this step if you already have one
- create a new repo or make changes to an existing one
- add the changed files
- commit using the
-Sflag