Devs, I saw GitHub rolled out a new feature to verify GPG-signed commits and tags in the UI [1]. If release managers upload their GPG public keys to their profile in GitHub[2], it shows up as "Verified", which is pretty cool [3].
[1]: https://github.com/blog/2144-gpg-signature-verification [2]: https://github.com/settings/keys [3]: https://github.com/apache/accumulo/tags
