Who owns the gpg key 4AEE18F83AFDEB23 and how did it sign a commit in my GitHub repo?

GitHub itself is signing commits made through the online editor using the key 0x4AEE18F83AFDEB23:

GitHub Screenshot: This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.

From: https://help.github.com/articles/about-gpg/

GitHub will automatically sign commits you make using the GitHub web interface. These commits will have a verified status on GitHub. You can verify the signature locally using the public key available at https://github.com/web-flow.gpg


To add to @Jonathan Cross's answer...

Signature rules

When will GitHub sign commits

  • GitHub will sign commits made using the web UI
  • GitHub will sign standard merges made using the web UI
  • GitHub will sign commits made by squashing to merge using the web UI

When will GitHub not sign commits

  • GitHub will not sign commits made by rebasing with the web UI

Why is a different key used than mine

This is because the web UI has no access to the private key, so it has to use its own key.

Tags:

Code Signing

Github

Gnupg

Openpgp

Recent Posts