Unverified GPG signature committed by GitHub, why?
I was working on a C++ project in CLion. I came across a Git Log message:
My question:
When I make changes on a repository directly from GitHub, why does it say
Unverified GPG signaturein the Git Log despite having a Verified mark on GitHub?
Edit 1: I have verified and ultimately trusted public and private GPG keys on my machine as well as on GitHub:
rohan@Genesis:~$ gpg --list-keys
/home/rohan/.gnupg/pubring.kbx
------------------------------
pub rsa3072 2021-07-10 [SC]
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
uid [ultimate] Rohan Bari (Rohan Bari's GPG key created on Tesla's birthday.) <rohanbari4@gmail.com>
sub rsa3072 2021-07-10 [E]
From a quick reading, to me it seems that to verify the commit locally (like in your git UI picture) you need the public key of the pair that has signed the commit. Since it was signed by Github's key (when clicking on the "Verified" you get a pop-up with This commit was created on GitHub.com and signed with GitHub's verified signature. or something similar) and not yours, thus you cannot verify it since you do not have the public key installed.
You can see the same issue when another user wanted to try to verify other people's commits in Github: How to locally verify signed commits by other people?
The Github status refers to Github's ability to determine the signature from configured keys https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits
By default commits and tags are marked "Verified" if they are signed with a GPG, SSH, or S/MIME key that was successfully verified.
As @JoachimSauer already proposed, you should add Github's key to be able to verify the commits https://stackoverflow.com/a/60482908/18973005
- Block a git branch from being pushed
- git merge: how did I get a conflict in BASE file?
- Git diff to show only lines that have been modified
- Detach (move) subdirectory into separate Git repository
- How can I view the Git history in Visual Studio Code?
- local cache for a github repository?
- Can "git pull --all" update all my local branches?
- Git add and commit in one command
- Go to a particular revision
- gpg failed to sign the data fatal: failed to write commit object [Git 2.10.0]
- How to make GitHub desktop use ssh by default?
- Can I specify multiple users for myself in .gitconfig?
- can't add all files to git due to permissions
- git diff renamed file
- git lfs "objects" taking a lot of disk space
- When applying a patch is there any way to resolve conflicts?
- rejected master -> master (non-fast-forward)
- Incorrect Git user name and email on Windows
- What is the HEAD in git?
- fatal: unable to access ".....": gnutls_handshake() failed: Handshake failed
- How to store GitHub wiki as part of source
- How to branch from a previous commit
- Clone a repository from GitHub Enterprise with go-git
- Git Bash is extremely slow on Windows 7 x64
- Predict git commit id and commit a file which contains that commit id
- How to search for a string across all staged files and unstaged changes in Git?
- How can I cherry-pick only changes to certain files?
- Git - Pushing code to two remotes
- Filename too long in Git for Windows
- How do I tell Git to ignore everything except a subdirectory?