When a PR is merged, a merge commit is added, which is automatically signed by GitHub. Its ‘Verified’ tag says:
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
Regardless of whether the merge is on a public or private repository, and regardless of the user doing the merge, the GPG key ID always seems to be the same (4AEE18F83AFDEB23).
Where can I find the public key that goes with this GPG key, so that those commits show up as verified in git log --show-signature?