Playing with github user api (gpg_keys)

GitHub provide GPG Keys api for developer purpose since they are implement general gpg verification support for repositories.

At first look it seems very cool until you try play with it :) The bigest problem they are does not provide any description of the keys api, i thought it is an usual public keys i export via web interface. But it does not.

So, what is it and how to verify the data by given keys from api ?

The purpose of that keys is provide keyId chunk of the package and hexencoded keyid (plaintext).

For an instance the chunk of the public key i’ll export into my profile:

:public key packet:
version 4, algo 1, created 1477424536, expires 0
pkey[0]: [2048 bits]
pkey[1]: [17 bits]
keyid: E8CE83DCDAB1509B

GitHub api will provide that keyId :

....
"primary_key_id": null,
"key_id": "E8CE83DCDAB1509B",
"public_key": "xsB.....=",
"emails": [
....

Ok , i got the rules. Lets verify the data for our messenger . The messenger receive usual gpg message signed by the user.

Returns keyId of the message.

Then we will take message text.

Returns String of the message text.

Cool ! Now we can compare the messageKey with keyId received from github. If message verified, it will be displayed on the web client with its own cool utf8 checked mark

Verified user message.
A single golf clap? Or a long standing ovation?

By clapping more or less, you can signal to us which stories really stand out.