Is there a way to set up git so that multiple users can use the same deploy key to a repository, but still have their commits tagged under their usernames? I'm asking because our company needs to be able to track exactly who makes changes to our repositories, but it'd be preferable to have them all be able to use the same deployment key to send those changes out to the remote on GitHub. Is this possible to do?
My understanding thus far is that it could be possible, since they'd use 1 deploy key for authenticating what changes they push, but each user would have a separate signing key to identify the changes those specific users make. Is this correct?
You could create individual signing subkeys for each developer, and use those to track down who signed a commit. To do so, run gpg --edit-key [key-id] and run addkey for each user, selecting the "signing" capability only (you will have issues with more than one encryption subkey). Export those subkeys one by one through gpg --export-secret-subkeys (and remember to postfix with !, otherwise GnuPG will resolve the subkey to a primary key), for example gpg --export-secret-subkey [subkey-id]!. The developers will have to gpg --import their individual signing subkeys. All signatures issued by all of those subkeys will be linked to and displayed as issued by the primary key, but can be tracked down to the subkey used.
But be aware you cannot link OpenPGP user IDs and subkeys with tools provided by the OpenPGP standard or GnuPG. If you only need to be able to rarely connect a signature to a given developer, you can of course look up manually (by keeping book which developer has access to which private subkey); for example if you have to track down malicious code or similar incidents.
The OpenPGP way to do this would be to have a company key and individual developer (primary) keys, which are certified by the company key. I don't think that GitHub is able to follow certification paths, though; if the "signature checked" mark on GitHub is important, you'll also have to register each of the developer's keys individually.