Where can I find the GPG key GitHub uses for merges?

When a PR is merged, a merge commit is added, which is automatically signed by GitHub. Its ‘Verified’ tag says:

This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.

Regardless of whether the merge is on a public or private repository, and regardless of the user doing the merge, the GPG key ID always seems to be the same (4AEE18F83AFDEB23).

Where can I find the public key that goes with this GPG key, so that those commits show up as verified in git log --show-signature?

4 Likes

Hi @heemskerkerik,

You can find the key we use to sign commits here: https://github.com/web-flow.gpg

And you can find more information about GPG here: https://help.github.com/articles/about-gpg/

Hope this helps!

6 Likes

Is there anyway to reset this key?

I think we never get the private part to see, but i just thought, that it could theoretically be stolen from GitHub directly.

@panzer1119 ,

No you cannot reset this key yourself. Only GitHub has control over it. And yes, it can (in theory) be stolen from GitHub. However, I am assuming that they provide enough effort to protect the private key.

If you really don’t trust GitHub’s key, you could just merge locally with your own key and then push.

1 Like

Thank you. Currently I have no trust issues with GitHub.
I was just curious if GitHub has any „emergency plan“ after a breach happened or something similar.

this is verified my account

1 Like

In case anyone else isn’t sure what to do with the key (as I was until a few minutes ago), this is how you can import it locally and “trust” it, so that the commits from GitHub are actually shown as being from a trusted source.

curl -O https://github.com/web-flow.pgp
gpg --import web-flow.gpg
gpg --edit-key noreply@github.com

You’ll then enter the gpg key editing interface, where you can enter trust and then quit.

Now the key will be recognized by gpg and told that you trust it, since you just downloaded it from GitHub yourself!

This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23
Learn about signing commits

1 Like

My company’s (IBM) instance of Github Enterprise Server doesn’t seem to support this feature.  Is it something that has to be enabled?  I can definitely merge the commits locally using command-line and my own GPG key, but I can’t merge Pull Requests from the web UI that are signed.  I was thinking this was intentional because of needing a valid GPG key that would make the merged PR verifiable, but then I saw this thread and realized that the server can indeed have its own GPG key… so how would I get this enabled on a private company’s Github Enterprise Server?  Indeed, for my repository, I saw the setting 

Require signed commits
Commits pushed to matching branches must have verified signatures.

, which we have enabled, and that makes sense.  But I’d like to make it so our Enterprise Server can merge on my behalf from the UI and sign the merge commit using the server key.  Is this possible?

1 Like

Not sure if it’s beacuse of the version (gpg v2.2.17 / libgcrypt v1.8.5) but I had to do

$ curl https://github.com/web-flow.gpg | gpg --import
$ gpg --edit-key noreply@github.com
gpg> trust
gpg> save
$ gpg --lsign-key noreply@github.com
1 Like