For data collection projects we contribute code to, it’s in our best interest to verify the identity of contributors linked to us. The goal is to prevent situations like this totally plausible horror story, where Mike Gerwitz discovered a back door created by his account that he didn’t remember making.
We realize signing Git commits using GPG isn’t a requirement in most projects. It is, however, a nice to have feature — especially in cases where it is important for you to have your identity as the commiter verified and want to prevent an impersonator from going undetected when they submit a commit as you.
Here are instructions on how to set up GPG signing on OSX. Those of us who are Linux users should be able to easily follow.