7

I added my gpg subkey to GitHub today and noticed that regardless of which subkey I export, the PUBLIC KEY BLOCK is the same. I have since found this post, that explains why: is-it-possible-to-export-a-gpg-subkeys-public-component?

In adding this public key block to github, it has now recognised my public key, and lists both my encryption and signing subkeys under my account.

My question then, is how do I know which key github is using for signing, since my public key has usage SC, and my signing key has usage S?

Improve this question

1 Answer 1

Reset to default
6

Github is not signing your commits at all -- all it does is verifying signatures. In fact, git is doing the signing work on your computer, relying on GnuPG for the cryptographic operations. GnuPG again will generally use the newest non-revoked key with signing capabilities unless you enforce something else, which will usually be your subkey.

When verifying commits or tags through git verify-[commit|tag], GnuPG will print the key ID used for signing, for example

gpg: Signature made Mon Jun 27 23:22:05 2016 CEST gpg: using RSA key 0x8E78E44DFB1B55E9 [snip]

This key ID references the key actually used for writing the signature, if a subkey was used, the ID is printed here. You verify by running gpg --list-keys [key-id] and having a look whether the key is listed as primary key or subkey.

For signing, usually the pinentry implementation of your choice will also print the key to be used when querying for the passphrase.

Improve this answer
1
  • 1
    This is not strictly true as of 2019: commits made via the github.com web interface are now signed using GitHub's own PGP key, found at github.com/web-flow.gpg. You can tell my clicking the "Verified" badge next to a commit and seeing the text "This commit was created on GitHub.com and signed with a verified signature using GitHub’s key." Commented Nov 14, 2019 at 21:47

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.