Github improperly rotated away from hosted GPG signing key to 968479A1AFF927E37D1A566BB5690EEEBB952194

[PastaPastaPasta]

Hello!

I recently was looking at my git log, and saw commits that were not signed by a trusted key. This new key I haven't seen before has the fingerprint of 968479A1AFF927E37D1A566BB5690EEEBB952194

I figured out that I could find this key at https://github.com/web-flow.gpg how ever, there is no indication that this key is valid.

The previous key used by GitHub for signing was

pub   rsa2048 2017-08-16 [SC] [expired: 2024-01-16]
      5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23
uid           [ expired] GitHub (web-flow commit signing) <noreply@github.com>

As we can see it's now expired. However, when we look at this new key, it has not been signed by anything or anyone else!

> $ gpg --list-signatures 968479A1AFF927E37D1A566BB5690EEEBB952194                                                                  [±develop ●]
pub   rsa4096 2024-01-16 [SC]
      968479A1AFF927E37D1A566BB5690EEEBB952194
uid           [ unknown] GitHub <noreply@github.com>
sig 3        B5690EEEBB952194 2024-01-16  [self-signature]

Additionally; this key was not uploaded to any key servers when it was rotated see

https://keyserver.ubuntu.com/pks/lookup?search=968479A1AFF927E37D1A566BB5690EEEBB952194&fingerprint=on&op=index
https://keys.openpgp.org/search?q=968479A1AFF927E37D1A566BB5690EEEBB952194
https://pgp.mit.edu/pks/lookup?search=968479A1AFF927E37D1A566BB5690EEEBB952194&op=index

I am requesting that this new GPG key with the fingerprint 968479A1AFF927E37D1A566BB5690EEEBB952194 be signed with the previously used key 5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23

Please see https://danielpecos.com/2019/03/30/how-to-rotate-your-openpgp-gnupg-keys/ for more information on rotating GPG keys

As it is currently; it's not possible to users to really trust this new key; as it has not been signed by anything and there's no indication that it's valid besides the fact that it's hosted at https://github.com/web-flow.gpg

Please help resolve this. Let me know if any additional information is needed!

[samus-aran]

Welcome to the GitHub Community, @PastaPastaPasta , we're happy you're here! You are more likely to get a useful response if you are posting your question(s) in the applicable category and are explicit about what your project entails--giving a few more details might help someone give you a nudge in the right direction. I've gone ahead and moved it for you. Good luck!

[Flasher666666]

Guys how can i ask my question ????

[samus-aran]

Hi @Flasher666666 👋

We’re happy you’re here but let’s not divert this discussion as this conversation is off-topic. Please open up a separate discussion so that we can look at your query there. 👍

[Flasher666666]

I am sorry bro I am new... that's why I asked

[FranciscoPombal]

I messaged GitHub support about this, apparently this change was announced here: https://github.blog/2024-01-16-rotating-credentials-for-github-com-and-new-ghes-patches/

[forivall]

With the gh cli, you can download all of the web-flow user's gpg keys with the following shell snippet:

for k in $(gh api "users/web-flow/gpg_keys" --jq '.[]|@base64'); do
  echo $k | jq -Rr '@base64d|fromjson|.raw_key' > "web-flow-$(echo $k | jq -Rr '@base64d|fromjson|.key_id').gpg"
done