Recently while working with one of OpenSource project I have found that one of the contributor’s key/access to the GitHub has been compromised. You can’t imagine that differentiating the unauthorized commits was so tedious and hasty. Since then every contributor of the project has enabled GPG key verification on their accounts. This helped to monitor unauthorized commits to the repositories. Here’s how everyone configured GPG key verification for their commits.
For Mac users download GPG Suite and install it. It has nice UI with which you can generate GPG key or you can follow steps below commands for generating and exporting the GPG keys
Generate GPG key