One of the underestimated features of git is the ability to sign each commit and tag using a GPG key and an introduction to how it is done can be read in the git documentation. Unfortunatley I don’t see this feature being used much when looking at various projects at GitHub but I would really love if it became modus operandi among the developers to have a key pair and just pass a “-S” when commiting or “-s” when setting a tag.
I think that GitHub could be able to help here by pushing for the usage of this feature by allowing the users to upload their public key(s) in the account settings. When someone (user A) views a signed commit (from user B) on GitHub (for instance here) it would be really neat if the signature was verified against the user B’s public key that he or her has uploaded. If user B’s public key has been signed by user A I would propose a green icon or similar to display that it is a trusted signature. If user B’s key is not signed by user A perhaps a more neutral colour would be more appropriate (orange? I dunno.. I’m not a graphics expert). Of course signed tags should be treated the same way and I would expect an icon somewhere on this page for example.
As a bonus when users upload their public keys to their GitHub pages is the ability for other people to easily find them for the purpose of sending encrypted emails. I haven’t seen the figures of how many people that actually signs/encrypts their mails but I am quite sure it is very low. Considering how unsafe email is and how many that relies on the technology I for one think OpenPGP deserves a greater usage. Just adding the feature above would at least raise awareness and hopefully more people would join in and start signing and encrypting their mails.
Lastly I would also like GitHub to implement the possibility of encrypting all outgoing mails, like notifications from watched repositories etc, in the same way as facebook has done.