top | item 28437967

(no title)

Felk | 4 years ago

Yes. Here's an excerpt from their documentation on <https://docs.github.com/en/github/authenticating-to-github/m...>:

> GitHub will automatically use GPG to sign commits you make using the GitHub web interface

discuss

ruuda|4 years ago

It’s even worse, if somebody rebase-merges a pull request that you authored (thereby creating a new commit that you did not author), GitHub will show you as the author (without a separate committer, like it normally does when author and committer differ), and put “verified” next to it, which usually means that they verified that it was signed by your GPG key, but in this case, it means that the commit was created by GitHub.

https://twitter.com/vmulps/status/1386717970458677250

chrisseaton|4 years ago

Says it signs the commit with its own key. I guess you have to trust GitHub.

Felk|4 years ago

Well, yes. The question was whether you can sign _on GitHub_, so your private key has to be available to GitHub. You can always sign locally if you don't trust GitHub.

drexlspivey|4 years ago

What else would they be signing with? They don’t have your key obviously