2

I was working on a C++ project in CLion. I came across a Git Log message:

Commit Log

When I make changes on a repository directly from GitHub, why does it say Unverified GPG signature in the Git Log despite having a Verified mark on GitHub?

GitHub Verified Mark

Edit 1: I have verified and ultimately trusted public and private GPG keys on my machine as well as on GitHub:

rohan@Genesis:~$ gpg --list-keys
/home/rohan/.gnupg/pubring.kbx
------------------------------
pub   rsa3072 2021-07-10 [SC]
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
uid           [ultimate] Rohan Bari (Rohan Bari's GPG key created on Tesla's birthday.) <rohanbari4@gmail.com>
sub   rsa3072 2021-07-10 [E]
Rohan Bari
  • 7,482
  • 3
  • 14
  • 34
  • It just means that you locally haven't verified the GPG signature (maybe the key is not available locally, or GPG verification is not set up, or ...). "Verified" or not is not a property of the bytes that make up the commit, but a description of the understanding of some code of those bytes. – Joachim Sauer Jan 23 '23 at 16:04
  • @JoachimSauer I have both public and private GPG keys verified and ultimately trusted on my Linux machine. – Rohan Bari Jan 23 '23 at 16:11
  • If I read the first screenshot correctly, the commit is signed by `noreply@github.com` (which makes sense because if you edit via the web UI, github can't sign with your private key). – Joachim Sauer Jan 23 '23 at 16:13
  • @JoachimSauer I thought to post a question about `noreply@github.com` along with this question but abandoned that edit as there would be two questions in a single thread. Also, I have set up the GPG keys on GitHub's `settings/keys` section. – Rohan Bari Jan 23 '23 at 16:17
  • AFAIK you can't add your **private** key to Github, which would be necessary for Github to sign commits that you did via the web UI as you. What tooltip does hovering over "verified" show on this commit? This tends to be very explicit about *why* a given commit is trusted. – Joachim Sauer Jan 23 '23 at 16:21
  • @JoachimSauer On clicking the Verified label, it shows: This commit was created on GitHub.com and signed with GitHub’s verified signature. *[With GPG Key ID different than I have.]* – Rohan Bari Jan 23 '23 at 16:26
  • That's what I thought: Github treats it as verified only because it's signed by Githubs own private key, that they trust. So to trust that too you need to trust [Githubs own public GPG key](https://stackoverflow.com/questions/60482588/what-is-githubs-public-gpg-key). – Joachim Sauer Jan 23 '23 at 16:28
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/251342/discussion-between-rohan-bari-and-joachim-sauer). – Rohan Bari Jan 23 '23 at 16:31

0 Answers0