Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Copilot Lvl 2
Message 1 of 7

Where can I find the GPG key GitHub uses for merges?

When a PR is merged, a merge commit is added, which is automatically signed by GitHub. Its 'Verified' tag says:

This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.

Regardless of whether the merge is on a public or private repository, and regardless of the user doing the merge, the GPG key ID always seems to be the same (4AEE18F83AFDEB23).

Where can I find the public key that goes with this GPG key, so that those commits show up as verified in git log --show-signature?

6 Replies
Moderator
Message 2 of 7

Re: Where can I find the GPG key GitHub uses for merges?

Hi @heemskerkerik,

 

You can find the key we use to sign commits here: https://github.com/web-flow.gpg

And you can find more information about GPG here: https://help.github.com/articles/about-gpg/

Hope this helps!


Mark helpful posts with Accept as Solution to help other users locate important info. Don't forget to give Kudos for great content!

Copilot Lvl 2
Message 3 of 7

Re: Where can I find the GPG key GitHub uses for merges?

Is there anyway to reset this key?

I think we never get the private part to see, but i just thought, that it could theoretically be stolen from GitHub directly.

Commander Lvl 3
Message 4 of 7

Re: Where can I find the GPG key GitHub uses for merges?

@Panzer1119 ,

 

No you cannot reset this key yourself. Only GitHub has control over it. And yes, it can (in theory) be stolen from GitHub. However, I am assuming that they provide enough effort to protect the private key.

 

If you really don't trust GitHub's key, you could just merge locally with your own key and then push.


- Mark
Copilot Lvl 2
Message 5 of 7

Re: Where can I find the GPG key GitHub uses for merges?

Thank you. Currently I have no trust issues with GitHub.
I was just curious if GitHub has any „emergency plan“ after a breach happened or something similar.
Copilot Lvl 2
Message 6 of 7

Re: Where can I find the GPG key GitHub uses for merges?

this is verified my account
Highlighted
Ground Controller Lvl 1
Message 7 of 7

Re: Where can I find the GPG key GitHub uses for merges?

In case anyone else isn't sure what to do with the key (as I was until a few minutes ago), this is how you can import it locally and "trust" it, so that the commits from GitHub are actually shown as being from a trusted source.

 

curl -O https://github.com/web-flow.pgp
gpg --import web-flow.gpg
gpg --edit-key noreply@github.com

 

You'll then enter the gpg key editing interface, where you can enter trust and then quit.

 

Now the key will be recognized by gpg and told that you trust it, since you just downloaded it from GitHub yourself!