51

This commit in my GiHub repo is signed by a key I don't recognize: https://github.com/jonathancross/jc-docs/pull/2/commits/124672699991af75dd2454831670758f08bc74ab

What is going on here?

Improve this question

2 Answers 2

Reset to default
53

GitHub itself is signing commits made through the online editor using the key 0x4AEE18F83AFDEB23:

GitHub Screenshot: This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.

From: https://help.github.com/articles/about-gpg/

GitHub will automatically sign commits you make using the GitHub web interface. These commits will have a verified status on GitHub. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg

Improve this answer
0
14

To add to @Jonathan Cross's answer...

Signature rules

When will GitHub sign commits

  • GitHub will sign commits made using the web UI
  • GitHub will sign standard merges made using the web UI
  • GitHub will sign commits made by squashing to merge using the web UI

When will GitHub not sign commits

  • GitHub will not sign commits made by rebasing with the web UI

Why is a different key used than mine

This is because the web UI has no access to the private key, so it has to use its own key.

Improve this answer
3
  • Hi! Would you know why would GitHub not sign commits made by rebasing with the web UI?
    – Jayant Bhawal
    Commented Sep 24, 2018 at 10:07
  • I do not know, my guess would be that it does not re-sign the commits after rebasing them as an oversight, rather than anything deliberate
    – jrtapsell
    Commented Sep 29, 2018 at 22:30
  • 10
    Very likely, because rebasing is affecting commits of a different author, and this could else be used to fake commits of other uses to appear as signed
    – Flyingmana
    Commented Oct 5, 2018 at 14:25

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .