When you're working on open source projects, they sometimes ask you to sign your commits.
That's the common way to confirm that you agree with the software license and development rules.

There are different ways to to this. By adding a comment to the commit message, or by using a digital certificate.

Commit message signing - plain

This is the simplest way, and is accepted by many open source projects.
In your commit, you add the --signoff key to the GIT command.

git commit -a -m "added unit test --signoff

This will automatically add your info. The result (e.g.: on Github) will look like this:

(the green check on the right doesn't mean this is a verified commit, it's not related to the signature.)

Commit message signing - with a Certificate

With this process, you confirm the activity by signing the commit with a key.

Create a PGP key

First take care that you have a sign key. It's not hard to generate one.
I'm using the GIT bash on a Windows 10 PC to launch the commands.

Maybe you have a key. Check with

gpg --list-keys

If you don't have one, you'll see output like this:

But if you have one, you can reuse it. Check if it hasn't expired:

If you don't have an existing certificate, here's how you create one:

 gpg --gen-key

Register your public key on GitHub

This is an optional step. It will take care that the verified tag is put next to your signed commits.

Get your public key content into a text file:

gpg --output public.pgp --armor --export your.mail@yourprovider.com

Then navigate to your your online Github profile, Settings, SSH and GPG keys: 

Add a New GPG key, and paste the content of the text file you just created into the field. Save.

Use your key when committing changes

When you commit, add the -S option to the command line

git commit -S -a -m "refactured the API"

You can check if the signature was successful:

 git log --show-signature -1

Once you push your changes to the server, GitHub flags them as verified:

That's it.