Since version 2.34 of git, it has been possible to sign commits using SSH key(s).1 I find this handy, as it helps manage my version control workflow with just one key type. Here is a minimal example of ~/.gitconfig to set it up:

    name = Chetan Kunte
    email = <my email address>
    signingkey = ~/.ssh/<public key filename>.pub
    gpgsign = true # sign commit(s)
    gpgsign = true # sign tag(s)
    format = ssh  # use SSH key for signing commits
[gpg "ssh"]
    allowedSignersFile = ~/.ssh/allowed_signers    
    defaultBranch = master # force of habit
    editor = nvim # my preferred editor

To let GitHub know that you will use SSH key for signing commits, add the SSH public key to Settings → SSH and GPG keys → Signing keys. Copy public key as so:

pbcopy < ~/.ssh/<public key filename>.pub

To avoid “error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification”, add a file ~/.ssh/allowed_signers with the following contents (email, key type, public key):

<my email address> ssh-ed25519 <public key>

Replace placeholders (shown in angle brackets above) with the actual information. Test with git show --show-signature. It should show as valid.2

  1. Previously this required a GPG key + key management tool chain. 

  2. Refer to GitHub Docs, which offers details for both GPG as well as SSH commit signature verification.