Which email to sign commits with for GitHub and retain privacy?

Question

I have my GitHub account set to keep my personal email address private. The only place my personal email address is used at GitHub is to email me notifications. This means that an address of the form <username>@users.noreply.github.com is supposed to be used and shown in the GitHub web interface for all other items.

To ensure that my name and personal email address is not exposed in the commit details, I have set my git config user.email to the same no-reply address, and my user.name to my GitHub username.

To sign my commits I have created a GPG key. The key also uses the noreply address. The key is added to my GitHub account.

However, in the GitHub interface, I see that my commits are still unverified.

Am I using the correct email address at the right points here? Is it possible to sign commits and have both the commit and signing info not expose my personal info?

Answer 1

I have fixed this with inspiration from the comment by @ge0rdi.

Although I had my GPG key email set to the no-reply GitHub email address, as well as my git user.name, and that email address selected in GitHub, and the public key correctly uploaded in Github, as described in my question... this was all using the old-style no-reply GitHub email address.

The old style no-reply GitHub email address was what was what shown in the GitHub interface (i.e. [email protected]).

I had to force the account to use the new style. To do this, in Github, go to settings > Emails. Then un-select the checkbox for Keep my email addresses private, then re-select it again. This should result in the email address shown in the text below the text box being updated to the format [email protected]. Then update my GPG key and git user.name to match.

Why the GitHub git GPG system should require one things when the UI specifically shows another thing is probably a bug.