45

This commit in my GiHub repo is signed by a key I don't recognize: https://github.com/jonathancross/jc-docs/pull/2/commits/124672699991af75dd2454831670758f08bc74ab

What is going on here?

Jonathan Cross
  • 1,548
  • 1
  • 12
  • 25

2 Answers2

46

GitHub itself is signing commits made through the online editor using the key 0x4AEE18F83AFDEB23:

GitHub Screenshot: This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.

From: https://help.github.com/articles/about-gpg/

GitHub will automatically sign commits you make using the GitHub web interface. These commits will have a verified status on GitHub. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg

Jonathan Cross
  • 1,548
  • 1
  • 12
  • 25
13

To add to @Jonathan Cross's answer...

Signature rules

When will GitHub sign commits

  • GitHub will sign commits made using the web UI
  • GitHub will sign standard merges made using the web UI
  • GitHub will sign commits made by squashing to merge using the web UI

When will GitHub not sign commits

  • GitHub will not sign commits made by rebasing with the web UI

Why is a different key used than mine

This is because the web UI has no access to the private key, so it has to use its own key.

jrtapsell
  • 3,169
  • 15
  • 30
  • Hi! Would you know why would GitHub not sign commits made by rebasing with the web UI? – Jayant Bhawal Sep 24 '18 at 10:07
  • I do not know, my guess would be that it does not re-sign the commits after rebasing them as an oversight, rather than anything deliberate – jrtapsell Sep 29 '18 at 22:30
  • 9
    Very likely, because rebasing is affecting commits of a different author, and this could else be used to fake commits of other uses to appear as signed – Flyingmana Oct 05 '18 at 14:25