2

I'm not sure I understand GPG, and something on GitHub has left me wondering.

In git, a GPG private key can then be used to sign commits, which allows someone who is in possession of the public key of the committer to verify the signature. If they know that the public key does indeed belong to the committer, then they can verify the commit authenticity.

By my understanding, the public key is public and it should be considered that anyone could have a copy of it.

In GitHub, it is possible to associate a public GPG key with an account by adding it through the settings, which will then display the commits as Verified, here's an example.

enter image description here

In addition, GitHub API exposes the GPG keys, here's an example.

There is something I am confused about though. Since all GPG public keys are supposed to be public, wouldn't it mean that anyone in possession of my public key could associate it with their account even if they are not in possession of the private key, and therefore the Verified status does not provide authenticity?

Hay
  • 121
  • 3

2 Answers2

1

Another individual could certainly associate your public key with their profile. They could also email it to people, upload it to a public key server etc.

But fortunately none of this matters, as they don’t have your private key. They can’t sign commits as you, so that verified status will not appear.

By design the public key is public, and there is no risk whilst you are adequately protecting the private part.

David
  • 714
  • 3
  • 11
  • I do not think, that this answers the question. When I add the key to my profile, can't I claim your (valid) commits, so they are associated with my profile? I guess github does some additional verification of the e-mail address associated to the key (I did not test it), but your answer only addresses if someone can forge commits, not if someone can claim commits by others. – allo May 06 '19 at 08:32
  • 1
    If you look through the documentation, they mention that the GPG key should be associated with an email address you have verified on your GitHub profile. You cannot claim my commits as valid because your account does not have my email address associated with it. – Vivelin May 06 '19 at 09:39
-1

In order for GitHub to show the Verified status the commit needs to be signed with the corresponding private key, so it doesn't matter if a malicious GitHub user associates your public key with their account since they will not be able to sign the commits.

You can create a signed commit with git commit -S -m 'signed commit. This command will use your private GPG key to sign the commit. See here for more details.

el_tigro
  • 694
  • 8
  • 14