Git signature verification

Question

I'm new to the subject of signing Git commits and I'd like to understand how the process of verifying a GPG signature actually works. I already stumbled across these links, but none of them answers my question exactly:

• https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification
• Verifying signed git commits?
• https://withblue.ink/2020/05/17/how-and-why-to-sign-git-commits.html

The missing part for me is the following: lets say Bob creates and signs a Git commit using bob@example.com. His GPG signature uses bob@example.com as well and is uploaded to Bob's GitHub account. GitHub finds Bob's GPG signature and successfully verifies the Git commit.

But how does GitHub create the link between the creator of the Git commit and the GPG signature to use? Are they iterating over all registered email addresses on GitHub to find a matching one and use the corresponding GPG signature?

Or in other words: if Eve creates a GPG signature using bob@example.com, uploads it to Eve's GitHub account and creates and signs a commit: will the commit be marked as invalid on GitHub since Eve's GPG signature using bob@example does not belong to Bob?
At least that's how I'd expect it to work, but I want to be sure that I'm not working with wrong expectations.

Thanks!

Answer 1

Each user on GitHub can upload their public key to GitHub to be used for verifying commits. Only the keys that the user has uploaded are considered valid for verifying that user's commits.

When a commit comes in, GitHub inspects the email addresses in the author and committer headers of the commit, and it uses that to determine the accounts associated with it. For signatures, only the committer account is considered, since the commit was created by the committer and could only have been validly signed by them. Then, if that user has a public key and the commit is signed, GitHub will use that key to verify it.

When we verify any secure digital signature, we learn one of two things. Either we learn that both the given key signed the message and the message has not been modified, or we learn that something else has occurred. That something else could be a different key signed the message, that the message was modified, or that a bug of some sort occurred, but all we know in that case is that the signature is not valid for that key-message combination.

If Eve tries to sign a commit for Bob, then GitHub will try to verify the signature with Bob's key, and it will fail verification. The commit will be flagged as unverified.