Commit signing in 2023 is kinda wack(lobi.to) |
Commit signing in 2023 is kinda wack(lobi.to) |
Here an example from Sentry's master which other than bot triggered reverts are all verified: https://github.com/getsentry/sentry/commits/master/
Generate a long-lived root keypair (SC/C), the public key of which you add to the forge. You never sign directly with this. Instead you routinely generate new signing pairs. If compromised you hopefully only need to revoke the subkey so the blast radius is a lot smaller.
You could even do a three-tier one where you can keep the root key dead cold and literally lock it into a vault.
Last time I looked, this was not supported in GitHub, though; it only recognized signatures by explicitly trusted keys, not their signed subkeys.
This problem is largely solved in cryptocurrency-land. You have a hardware device that does the signing, which is recoverable from a 24 word seed that is stored offline (plus a passphrase which can be memorized or stored online so that it's not catastrophic if someone gets to your seed).
I just found out that Ledger actually supports SSH/PGP: https://support.ledger.com/article/115005200649-zd
To compromise a key you need to find a hidden piece of paper or engraved plate that your target has physically hidden somewhere. Plus guess a secret password (before your target has noticed you got to their seed and rang the alarm). Almost impossible to pull off.
I'm not sure what you mean about identity changing. If you mean a sex change or getting a new haircut, this is irrelevant to signing commits...
I fail to see how cryptocurrencies are in any way unique in this regard.
And 2FA isn't a requirement for a PR merge afaik, Except via org-wide enforcement? So the guarantee is lower - the commit was merged with a valid session token.
[0]: https://docs.github.com/en/authentication/keeping-your-accou...
Without that information I do not know that a particular commit came from a particular person. Anyone can impersonate anyone else.
Github doesn't put the info of who pushed the merge button into the merge commit message that it signs. I wonder what it actually attests by putting authors and coauthors into the merge commit.
edit:
The Co-authored-by fields can be trivially forged, and then Github signs it. The only question is who it acknowledges as the author. It seems to be the PR opener, from what I could gather.
A common practice is one Yubikey on your keyring, another left at home (optionally left in your Desktop or a computer that doesn't leave the house)
Identity Changes, such as name changes, are relevant in the Web o Trust/GPG world where you typically require a valid ID proof (such as a passport) and physical presence before you sign someone's keys at a Key Signing Party.
> Identity Changes, such as name changes, are relevant in the Web o Trust/GPG world where you typically require a valid ID proof (such as a passport) and physical presence before you sign someone's keys at a Key Signing Party.
It doesn't solve that problem but I don't think "real life" identity is really relevant for the purpose of contributing code. In fact, plenty of open source contributors are pseudonymous.
If you are looking at and trusting github UI/API anyway as part of your verification, then you might as well just look at the green "verified" badge without actually verifying the signature locally. At which point actually signing by the github key is just useless ceremony.