How and where to get GitHub's gpg key

[nguyenalex836]

Discussed in https://github.com/github/docs/discussions/6444

^{Originally posted by jernej-9 May 15, 2021}
Hi everybody!
I was trying to download the GitHub gpg key that is used to sign all web commits so that running git log --show-signature locally would not bring up a red box saying that gpg could not verify the signature. However, I could not find any official site stating where the key is published and only found the key location by looking at some forum posts saying that it is the key from the user web-flow. Since this is still a highly unreliable way to get the gpg key, I would propose that the key and information on how to acquire it is added to the documentation, which would present a trusted source of information about which key is the right one to use.

Comments ----------------------------------------------------------------------------------------------------

felicitymay
on May 17, 2021
Maintainer
Hi jernej-9, welcome to the docs site 👋🏻

I was trying to download the GitHub gpg key that is used to sign all web commits so that running git log --show-signature locally would not bring up a red box saying that gpg could not verify the signature. However, I could not find any official site stating where the key is published and only found the key location by looking at some forum posts saying that it is the key from the user web-flow.

It sounds as if one of the problems is that you're looking for a key to download from GitHub. For security, every user has to generate their own gpg key and then upload this into their account settings. This is how GitHub knows that the commit comes from you and not some other user. Otherwise, anyone with your email address could set up their Git to pretend to be you.

I hadn't used gpg keys myself until recently, but was able to set this up locally using the following docs:

Generating a new GPG key
Adding a new GPG key to your GitHub account
Telling Git about your signing key
For some background, you can also read an introduction to gpg keys and how you can use them to sign commits here: About commit signature verification.

7 replies
felicitymay
felicitymay
on May 18, 2021
Maintainer
Actually, I've found the information in the docs - it's there but not very obvious: About commit signature verification

GitHub will automatically use GPG to sign commits you make using the GitHub web interface, except for when you squash and merge a pull request that you are not the author of. You can optionally choose to have GitHub sign commits you make in Codespaces. Commits signed by GitHub will have a verified status on GitHub. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg. For more information about enabling GPG verification for your codespaces, see "Managing GPG verification for Codespaces."

It seems as if it might be worth adding a heading to this section and making it a bit easier to discover.

felicitymay
felicitymay
on May 18, 2021
Maintainer
jernej-9 - is https://github.com/web-flow.gpg where you found the key?

jernej-9
jernej-9
on May 19, 2021
Author
Actually, I've found the information in the docs - it's there but not very obvious: About commit signature verification

Ah, thank you, I was looking at that page but did not see it.

It seems as if it might be worth adding a heading to this section and making it a bit easier to discover.

Yes, it is a bit hard to find. I think the section heading is ok as it is, but making the key information more prominent within the paragraph would be helpful. Something like:

GitHub will automatically use GPG to sign commits you make using the GitHub web interface, except for when you squash and merge a pull request that you are not the author of. Commits signed by GitHub will have a verified status on GitHub. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg. The full fingerprint of the key is . You can optionally choose to have GitHub sign commits you make in Codespaces. For more information about enabling GPG verification for your codespaces, see "Managing GPG verification for Codespaces."

I think this is more readable, as the information on Codespaces is not split and comes later, and the addition of the fingerprint enables everybody to directly verify that the key they downloaded is indeed correct.

felicitymay
felicitymay
on May 19, 2021
Maintainer
jernej-9 - I really like your suggestion. That seems much clearer.

I wonder if you'd like to open a pull request to make that change to the docs?

jernej-9
jernej-9
on May 19, 2021
Author
Yes of course, I will open a pull request with these changes 👍

ohader
on Mar 17, 2023
I found the details in the previous comments, thanks for digging into that.

In a Linux/macOS terminal the following comment would import the corresponding GPG key to the local keychain.

curl https://github.com/web-flow.gpg | gpg --import
0 replies

felicitymay
on Mar 20, 2023
Maintainer
ohader - I'm glad that this discussion was helpful to you ✨

Checking back on the planned change to the docs resulting from this issue, I can see that jernej-9 made the agreed change: https://github.com/github/docs/pull/6615/files
and that this is live in this article: About commit signature verification. So it looks as if we should mark this discussion as answered.

Relevant quote from the article:

GitHub will automatically use GPG to sign commits you make using the web interface. Commits signed by GitHub will have a verified status. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg. The full fingerprint of the key is 5DE3 E050 9C47 EA3C F04A 42D3 4AEE 18F8 3AFD EB23.