When a PR is merged, a merge commit is added, which is automatically signed by GitHub. Its 'Verified' tag says:
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
Regardless of whether the merge is on a public or private repository, and regardless of the user doing the merge, the GPG key ID always seems to be the same (4AEE18F83AFDEB23).
Where can I find the public key that goes with this GPG key, so that those commits show up as verified in git log --show-signature?
Mark helpful posts with Accept as Solution to help other users locate important info. Don't forget to give Kudos for great content!
Is there anyway to reset this key?
I think we never get the private part to see, but i just thought, that it could theoretically be stolen from GitHub directly.
No you cannot reset this key yourself. Only GitHub has control over it. And yes, it can (in theory) be stolen from GitHub. However, I am assuming that they provide enough effort to protect the private key.
If you really don't trust GitHub's key, you could just merge locally with your own key and then push.
In case anyone else isn't sure what to do with the key (as I was until a few minutes ago), this is how you can import it locally and "trust" it, so that the commits from GitHub are actually shown as being from a trusted source.
curl -O https://github.com/web-flow.pgp gpg --import web-flow.gpg gpg --edit-key email@example.com
You'll then enter the gpg key editing interface, where you can enter trust and then quit.
Now the key will be recognized by gpg and told that you trust it, since you just downloaded it from GitHub yourself!