search

nautilus-cyberneering / secure-git-guide

A collections of articles about Git, GitHub and GPG focused on security.
https://secure-git.guide
8 stars 5 forks source link

New content: import GitHub dependabot public key #13

Closed josecelano closed 2 years ago

josecelano commented 2 years ago

GitHub dependabot uses this GPG public key to sign commits:

gpg: Signature made jue 03 feb 2022 13:40:17 WET
gpg:                using RSA key 4AEE18F83AFDEB23
gpg: Can't check signature: No public key
Author:     dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AuthorDate: Thu Feb 3 13:40:17 2022 +0000
Commit:     GitHub <noreply@github.com>
CommitDate: Thu Feb 3 13:40:17 2022 +0000

If you do not import the public key in your local keyring you will see the message:

gpg: Signature made jue 03 feb 2022 13:40:17 WET
gpg:                using RSA key 4AEE18F83AFDEB23
gpg: Can't check signature: No public key

You can import it with:

curl https://github.com/web-flow.gpg | gpg --import
gpg -k 4AEE18F83AFDEB23

And you will see:

commit 8d3203a9c270ed8939de92c721973c7d2c29cdfc
gpg: Signature made jue 03 feb 2022 13:40:17 WET
gpg:                using RSA key 4AEE18F83AFDEB23
gpg: Good signature from "GitHub (web-flow commit signing) <noreply@github.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5DE3 E050 9C47 EA3C F04A  42D3 4AEE 18F8 3AFD EB23