How can I verify signed commits made by other people?

Instead of blindly accepting a GPG key from an answer here, I would do the "right" thing and get the public key from a reasonable source. GitHub hosts their web flow GPG public key at the following address:

https://github.com/web-flow.gpg

If you decide that you trust this source, and believe it to be a place where GitHub would logically provide it's public GPG key, you can import it with the following command:

curl https://github.com/web-flow.gpg | gpg --import

GPG is all about trust, and understanding where the keys are coming from is a key part of understanding whether or not you trust a key or not. After importing this key, if you decide that you believe the key to be valid, and that it belongs to who it is said to belong to, you can sign the key, optionally publishing your signature to a public key server, acknowledging publicly that you trust that the key itself is valid.


You need to have the copy of the public GPG key installed in your GPG keychain for it to validate the signature.

curl 'https://sks-keyservers.net/pks/lookup?op=get&search=0x4AEE18F83AFDEB23' | gpg --import

or

gpg --keyserver hkp://pgp.mit.edu --search-keys 0x4AEE18F83AFDEB23