Entering a key passphrase each time is going to be annoying without providing benefit over just signing some git tag.
Leaving the key unlocked in an agent is going to be somewhat less secure than requiring the key to be unlocked on every use.
> github displays a little widget showing that the commits are signed, but beyond that I don't think it cares which public key they were signed with, so it's not really helping anything.
As I understand it, "verified" means it's either a commit made on GitHub's website with that user signed in, or the commit was signed with one of the keys associated with that user's profile.
I guess for the case of "I only trust commits signed by a certain key", you'd need to use a different GitHub profile.
My understanding is:
Entering a key passphrase each time is going to be annoying without providing benefit over just signing some git tag.
Leaving the key unlocked in an agent is going to be somewhat less secure than requiring the key to be unlocked on every use.
> github displays a little widget showing that the commits are signed, but beyond that I don't think it cares which public key they were signed with, so it's not really helping anything.
As I understand it, "verified" means it's either a commit made on GitHub's website with that user signed in, or the commit was signed with one of the keys associated with that user's profile.
I guess for the case of "I only trust commits signed by a certain key", you'd need to use a different GitHub profile.