Tools to strengthen trust in GitHub's commit signature verification by cross-checking signing keys against the Sigstore Rekor transparency log.
GitHub displays a green Verified badge on commits signed with a GPG key, but this guarantee is limited: it only means GitHub could match the signature against a key registered in the signer's account at verification time. It does not prove:
- the key was publicly known before the commit was made (no backdating protection)
- the key has an independent, tamper-evident record of existence outside GitHub
Sigstore Rekor is an append-only, tamper-evident transparency log (analogous to Certificate Transparency for TLS certificates). Publishing a key to Rekor creates a permanent, timestamped, publicly auditable record that the key existed at a specific moment. Verifying that a commit's signing key appears in Rekor provides a stronger, GitHub-independent assurance of commit provenance.
Timestamps a public key in the Rekor log. Supports RSA/EC keys from a PEM file and GPG Ed25519 keys via the [A] authentication subkey and gpg-agent.
# RSA or EC key from a PEM private key file
python3 push_key_to_rekor.py mykey.pem
# GPG Ed25519 key by fingerprint, key ID, or email
python3 push_key_to_rekor.py --gpg 7DB52BE852B47C0F2943C9405DE7D3DA459CD2E6
python3 push_key_to_rekor.py --gpg alice@example.com
After a successful push, the entry is permanently visible at https://search.sigstore.dev/.
GPG prerequisites — the GPG key must have an Ed25519 [A] (authentication) subkey:
gpg --quick-add-key <FINGERPRINT> ed25519 auth
# Note the [A] keygrip, then register it with gpg-agent
gpg --with-keygrip --list-keys <FINGERPRINT>
echo <KEYGRIP> >> ~/.gnupg/sshcontrol
echo enable-ssh-support >> ~/.gnupg/gpg-agent.conf
gpg-connect-agent reloadagent /byeGiven a GitHub commit URL, verifies that:
- GitHub considers the commit signature valid, and
- the signing key appears in the Rekor transparency log.
python3 verify-key-on-rekor.py <github-commit-url>
Accepts both commit and pull-request diff URLs:
python3 verify-key-on-rekor.py https://github.com/owner/repo/commit/abc123
python3 verify-key-on-rekor.py https://github.com/owner/repo/pull/18/changes/abc123
Example output:
=== Commit: 4open-science/aicid-net@c3eeef78d674106774c44c4b7470ea367d228259 ===
GitHub verification: True (valid)
Key ID: 5DE7D3DA459CD2E6
Fingerprint: 7DB52BE852B47C0F2943C9405DE7D3DA459CD2E6
Algorithm: 22 (Ed25519)
=== Fetching public key from keyserver ===
SSH public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcDijy76qx5dVXJosZrF7OcEAOVqt50mH/e2x658DSJ
=== Searching Rekor (pki-format x509) ===
LogIndex: 1417247398
Timestamp: 2026-05-01 05:56:28+00:00
UUID: 108e9186e8c5677a...
Sig format: x509
Data SHA256: e96d636fd0657f08...
RESULT: Key IS present in Rekor transparency log.
Exit code is 0 if the key is found, 1 otherwise.
pip install cryptography requests
# System tools
sudo apt install gpg rekor-cli # Debian/Ubuntu
gh auth login # GitHub CLIrekor-cli can also be installed from https://github.com/sigstore/rekor/releases.
- push: derives the public key from a private key or GPG auth subkey, self-signs the public-key bytes, and posts a
hashedrekord/rekordentry to Rekor via its REST API. - verify: fetches the commit's PGP signature via the GitHub API, extracts the key ID with
gpg --list-packets, retrieves the public key from a keyserver, converts it to SPKI/PEM format (required by Rekor'sx509indexing), and callsrekor-cli search.
MIT