What is GitHub's public GPG key?
If you make an edit through GitHub's website, or merge a pull request, then the resulting commits are automatically signed with GitHub's GPG key. It looks like this:
I would like to have the full public key so that I can add it as a trusted key on my system. What is GitHub's public GPG key?
Solution
GitHub sets the committer for all commits made using their web interface to the user web-flow.
For any given GitHub account, you can add .gpg to its URL to get its public key—so for web-flow, you can find it at https://github.com/web-flow.gpg:
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsBNBFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQta
x15OklctmrZtqre5kwPUosG3/B2/ikuPYElcHgGPL4uL5Em6S5C/oozfkYzhwRrT
SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ
7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa
buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v
yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAHNNUdpdEh1YiAod2ViLWZs
b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+wsBiBBMBCAAW
BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEIACATWFmi2oxlBh3wAsySNCNV4IPf
DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6
9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws
+8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5
4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O
j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48=
=HXDP
-----END PGP PUBLIC KEY BLOCK-----
You can then import and trust that public key.
As shown in this thread:
$ curl https://github.com/web-flow.gpg | gpg --import
$ gpg --edit-key noreply@github.com
gpg> trust
gpg> save
$ gpg --lsign-key noreply@github.com
- GH-Action green (success) but doesn't push changes
- Log in to GitHub from the command line with multiple accounts
- Pycharm -- how can I push a local project to a remote organization repo?
- Git Clone - Repository not found
- Switched branch without commiting changes, what do I do now?
- GitHub Markdown Warning and Note all on one line
- java json schema validation relative path not working (URI not found)
- How can I test what my readme.md file will look like before committing to GitHub?
- What happens to a git submodule when its referenced repo is deleted?
- Remove a file from a Git Pull Request
- Rewriting URL request function to satisfy GitHub CodeQL server side request forgery (SSRF) warning
- all github action jobs are queued and never running
- How can I find the repository that has GitHub Pages enabled and is on a given domain?
- Error 400: Request contains an invalid argument while creating google_cloudbuild_trigger resource in Terraform from github source
- How to get count of pull requests made by a user on any repo belonging to an organization?
- gpg failed to sign the data fatal: failed to write commit object [Git 2.10.0]
- FetchContent access to private Git repository
- Remote anonymous access to repository denied?
- GitHub: How to do case sensitive search for the code in repository?
- View or Test README files *md in a browser prior to pushing to an online repository for rendering
- Quick access to 'invited' or 'watched' repository
- Github pages Jekyll theme "Minima" navigation not showing
- Global and environment secrets/variables
- ssh command -T option
- How to clone git repository from its zip
- Running actions in another directory
- How to determine the user that forked a repo into my organization?
- Untracking C drive in git
- How to filter and fetch GitHub repositories by topics
- Making a Git project open source when you have secret keys