Commits are signed to be able to verify the author of the commit. The ssh key (or username and password) only proves that you are allowed to authenticate against github.
Unsigned commits will be rejected.
git log --show-signature a commit with a signature will look
commit 4e6af36ca6d285033dd532e66469f273c6b64a37 (HEAD -> a-branch, origin/a-branch) gpg: Signature made Tue Mar 27 14:11:45 2018 CEST gpg: using RSA key 0A46826A gpg: Good signature from "John Doe <firstname.lastname@example.org>" [complete] gpg: aka "John Doe <email@example.com>" [complete] Author: John Doe <firstname.lastname@example.org> Date: 20 hours ago Summarize changes in around 50 characters or less ...