34

If you make an edit through GitHub's website, or merge a pull request, then the resulting commits are automatically signed with GitHub's GPG key. It looks like this:

GitHub GPG key - This commit was created on GitHub.com and signed with a verified signature using GitHub's key

I would like to have the full public key so that I can add it as a trusted key on my system. What is GitHub's public GPG key?

Aaron Franke
  • 3,268
  • 4
  • 31
  • 51

1 Answers1

43

GitHub sets the committer for all commits made using their web interface to the user web-flow.

For any given GitHub account, you can add .gpg to its URL to get its public key—so for web-flow, you can find it at https://github.com/web-flow.gpg:

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsBNBFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQta
x15OklctmrZtqre5kwPUosG3/B2/ikuPYElcHgGPL4uL5Em6S5C/oozfkYzhwRrT
SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ
7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa
buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v
yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAHNNUdpdEh1YiAod2ViLWZs
b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBiBBMBCAAW
BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEIACATWFmi2oxlBh3wAsySNCNV4IPf
DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6
9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws
+8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5
4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O
j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48=
=HXDP
-----END PGP PUBLIC KEY BLOCK-----

You can then import and trust that public key.

As shown in this thread:

$ curl https://github.com/web-flow.gpg | gpg --import
$ gpg --edit-key noreply@github.com
gpg> trust
gpg> save
$ gpg --lsign-key noreply@github.com
cpmsmith
  • 59
  • 1
  • 6
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • 4
    Tiny bit more convenient to just run `gpg --edit-key noreply@github.com trust quit` and then select the trust level (`4` = fully, is a good choice for it). – ruohola Apr 07 '21 at 08:34
  • 1
    @ruohola Good alternative indeed. – VonC Apr 07 '21 at 08:48
  • When I add the web-flow's GPG key on GitHub, it says **Email address: noreply@github.com [Unverified]**. On focus on Unverified, `Signed commits authored by this email address will be unverified until the email address is verified.` – Rohan Bari Jan 24 '23 at 04:01
  • @RohanBari True, after reading [issue 245](https://github.com/keybase/keybase-issues/issues/245#issuecomment-205961190), which is not exactly related but similar, I suppose this would not work with a GitHub account keeping their email private, and only advertising the anonymous email `noreply@github.com` in their commit. – VonC Jan 24 '23 at 06:50
  • @VonC I don't have my email address private. [Screenshot](https://i.postimg.cc/x1Nd207q/Screenshot-from-2023-01-24-15-25-21.png) – Rohan Bari Jan 24 '23 at 09:57
  • @RohanBari Interesting. I would like to see a separate question on this, with more information on your particular issue. – VonC Jan 24 '23 at 22:14
  • @VonC Refer to [this](https://stackoverflow.com/q/75212032/11471113) thread. I recently asked about it. – Rohan Bari Jan 25 '23 at 03:14