In case anyone else isn't sure what to do with the key (as I was until a few minutes ago), this is how you can import it locally and "trust" it, so that the commits from GitHub are actually shown as being from a trusted source. curl -O https://github.com/web-flow.pgp
gpg --import web-flow.gpg
gpg --edit-key email@example.com You'll then enter the gpg key editing interface, where you can enter trust and then quit. Now the key will be recognized by gpg and told that you trust it, since you just downloaded it from GitHub yourself!
... View more