On the command line I generated a new key pair using the generateKeyPair function from this package, providing a name and email of my GitHub account and a random passphrase. I took the public part of the generated key pair and put it in my GitHub account on the keys page. I took the private key and provided it to the snippet of code below.

The request to create the commit returns successfully as does the programmatic creation of the PR, but when I visit the commits page of the PR there is a box saying 'Unverified' with the message "The signature in this commit could not be verified. Someone may be trying to trick you."

I compared the GPG key ID it provides me on this page with those listed in my GitHub keys page and it matches. Do you know why it shows my commit as unverified?

I also tried verifying the commit via the command line with git verify-commit [HASH] which returned gpg: BAD signature from "Name <email>" [unknown]

const privateKey = '[GENERATED PRIVATE KEY]';
const passphrase = '[RANDOM PASSPHRASE FROM EARLIER]';

const author = {
  name: '[NAME THAT MATCHES GITHUB]',
  email: '[EMAIL THAT MATCHES GITHUB]',
  date: new Date().toISOString(),
};

const commitPayload: CommitPayload = {
  message: commitMessage,
  author,
  committer: { ...author },
  tree: tree.data.sha,
  parents: [branch.data.object.sha],
};

const signature = await githubApiSignature.createSignature(
  commitPayload,
  privateKey,
  passphrase,
);

const result = await got(
  `[GITHUB API URL]/repos/[USERNAME]/[REPO_NAME]/git/commits`,
  {
    protocol: 'https:',
    method: 'POST',
    body: {
      ...commitPayload,
      signature,
    },
    json: true
  },
);

This was caused by a trailing \n in my commit message that was trimmed when the signature was created but not by me when sending the message to GitHub.