Where can I find the public key for commits done from GitHub.com?

Question

Git supports signing commits using GPG, and GitHub shows these commits as being ‘Verified’. When you click the Verified tag, you'll see something like:

This commit was signed with a verified signature.

my username

My name

GPG key ID: F66DEF7BA82E8647

When you merge a pull request or, presumably, when you make a commit from within the web interface, it also shows as Verified, but with a different message:

This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.

GPG key ID: 4AEE18F83AFDEB23

When I run git log --show-signature, it will show commits that I've signed locally, like this:

gpg: Signature made 01/25/18 11:52:25 W. Europe Standard Time^M
gpg:                using RSA key 3FA85DEE7B64EB7EC8F97F41F66DEF7BA82E8647^M
gpg: Good signature from "Dude" <[email protected]>" [ultimate]^M

So far, so good. However, when I encounter a merged pull request, I'll get the following:

gpg: Signature made 01/25/18 09:07:45 W. Europe Standard Time^M
gpg:                using RSA key 4AEE18F83AFDEB23^M
gpg: Can't check signature: No public key^M

Obviously this is because I haven't added the public key to my list of GPG keys. The question is: where can I find this key? Is it listed somewhere?

edit: Obviously I've tried Googling this, and even asked a question on GitHub's community forums, but it's not getting answered.

Answer 1

By the nature of GPG, you want to be sure about which keys you are importing, and which you sign. You can find GitHub's web flow GPG public key here:

https://github.com/web-flow.gpg

If you want to import the public key, you can do so with the following command:

curl https://github.com/web-flow.gpg | gpg --import

As a user of GPG, you should evaluate the your level of trust of the source of this key. If you decide that it does indeed belong to GitHub, you can sign it and optionally publish your signature to a key server, essentially publicly acknowledging that you believe the key belongs to who it is supposed to belong to.

Answer 2

GitHub has documentation on how to locate existing keys, create new keys, adding them to git, GitHub, etc. You can find that here and I think it would answer any questions you have here.

From: https://help.github.com/articles/about-gpg/

GitHub will automatically sign commits you make using the GitHub web interface. These commits will have a verified status on GitHub. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg