6

As identified in this related question, github signs commits made from their application with their GPG key 4AEE18F83AFDEB23. Online, I can see commits tagged as 'verified'. But when I attempt to verify them on my local, I am unable to:

$ git log --show-signature commit 1bd20e9f7ed0860dc1971957b61ea25aeea499a1 gpg: Signature made Tue 6 Feb 00:04:43 2018 AEDT gpg: using RSA key 4AEE18F83AFDEB23 gpg: Can't check signature: No public key Merge: c1218d5 0dde09c Author: Brendan Roy <[email protected]> Date: Tue Feb 6 00:04:43 2018 +1100 Merge pull request #1 from bmon/pullreq this is a test

1bd20e9 is a commit github made on my behalf. How can I verify the commit was made by github?

Improve this question
1
  • Did you import 0x4AEE18F83AFDEB23? Commented Sep 13, 2018 at 23:06

2 Answers 2

Reset to default
10

Instead of blindly accepting a GPG key from an answer here, I would do the "right" thing and get the public key from a reasonable source. GitHub hosts their web flow GPG public key at the following address:

https://github.com/web-flow.gpg

If you decide that you trust this source, and believe it to be a place where GitHub would logically provide it's public GPG key, you can import it with the following command:

curl https://github.com/web-flow.gpg | gpg --import

GPG is all about trust, and understanding where the keys are coming from is a key part of understanding whether or not you trust a key or not. After importing this key, if you decide that you believe the key to be valid, and that it belongs to who it is said to belong to, you can sign the key, optionally publishing your signature to a public key server, acknowledging publicly that you trust that the key itself is valid.

Improve this answer
1
  • 1
    Github also has a Help page which explicitly mentions github.com/web-flow.gpg Eventually, making it more trustworthy. Commented Sep 24, 2019 at 11:25
2

You need to have the copy of the public GPG key installed in your GPG keychain for it to validate the signature.

curl 'https://sks-keyservers.net/pks/lookup?op=get&search=0x4AEE18F83AFDEB23' | gpg --import

or

gpg --keyserver hkp://pgp.mit.edu --search-keys 0x4AEE18F83AFDEB23

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.