How can I verify signed commits made by other people?

Question

As identified in this related question, github signs commits made from their application with their GPG key 4AEE18F83AFDEB23. Online, I can see commits tagged as 'verified'. But when I attempt to verify them on my local, I am unable to:

$ git log --show-signature

commit 1bd20e9f7ed0860dc1971957b61ea25aeea499a1
gpg: Signature made Tue  6 Feb 00:04:43 2018 AEDT
gpg:                using RSA key 4AEE18F83AFDEB23
gpg: Can't check signature: No public key
Merge: c1218d5 0dde09c
Author: Brendan Roy <br3ndanr@gmail.com>
Date:   Tue Feb 6 00:04:43 2018 +1100

    Merge pull request #1 from bmon/pullreq

    this is a test

1bd20e9 is a commit github made on my behalf. How can I verify the commit was made by github?

Answer 1

Instead of blindly accepting a GPG key from an answer here, I would do the "right" thing and get the public key from a reasonable source. GitHub hosts their web flow GPG public key at the following address:

https://github.com/web-flow.gpg

If you decide that you trust this source, and believe it to be a place where GitHub would logically provide it's public GPG key, you can import it with the following command:

curl https://github.com/web-flow.gpg | gpg --import

GPG is all about trust, and understanding where the keys are coming from is a key part of understanding whether or not you trust a key or not. After importing this key, if you decide that you believe the key to be valid, and that it belongs to who it is said to belong to, you can sign the key, optionally publishing your signature to a public key server, acknowledging publicly that you trust that the key itself is valid.

Answer 2

You need to have the copy of the public GPG key installed in your GPG keychain for it to validate the signature.

curl 'https://sks-keyservers.net/pks/lookup?op=get&search=0x4AEE18F83AFDEB23' | gpg --import

or

gpg --keyserver hkp://pgp.mit.edu --search-keys 0x4AEE18F83AFDEB23