53

This commit in my GiHub repo is signed by a key I don't recognize: https://github.com/jonathancross/jc-docs/pull/2/commits/124672699991af75dd2454831670758f08bc74ab

What is going on here?

Improve this question

2 Answers 2

Reset to default
54

GitHub itself is signing commits made through the online editor using the key 0x4AEE18F83AFDEB23:

GitHub Screenshot: This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.

From: https://help.github.com/articles/about-gpg/

GitHub will automatically sign commits you make using the GitHub web interface. These commits will have a verified status on GitHub. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg

Improve this answer
0
14

To add to @Jonathan Cross's answer...

Signature rules

When will GitHub sign commits

  • GitHub will sign commits made using the web UI
  • GitHub will sign standard merges made using the web UI
  • GitHub will sign commits made by squashing to merge using the web UI

When will GitHub not sign commits

  • GitHub will not sign commits made by rebasing with the web UI

Why is a different key used than mine

This is because the web UI has no access to the private key, so it has to use its own key.

Improve this answer
3
  • Hi! Would you know why would GitHub not sign commits made by rebasing with the web UI? Commented Sep 24, 2018 at 10:07
  • I do not know, my guess would be that it does not re-sign the commits after rebasing them as an oversight, rather than anything deliberate Commented Sep 29, 2018 at 22:30
  • 11
    Very likely, because rebasing is affecting commits of a different author, and this could else be used to fake commits of other uses to appear as signed Commented Oct 5, 2018 at 14:25

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.