Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add section on signing key maintenance into signing guideline #172

Open
larskaare opened this issue Dec 3, 2024 · 2 comments
Open

Add section on signing key maintenance into signing guideline #172

larskaare opened this issue Dec 3, 2024 · 2 comments

Comments

@larskaare
Copy link
Contributor

  • What happens when a signing key is deleted?
  • Should signing keys be rotated?
  • How long should they be kept in the profile?

Github doc: https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#records-persist-even-after-revocation-and-expiration
@dbelyaev
Copy link
Member

@larskaare FYI

We came across the same\relevant issue (first item in your bullet list) on our team and this question was raised recently:

Dmitriy:

Hello, folks! 🙂 I have a question about some routines related to signed commits.

As part of the configuration process, we upload the public part of our signature to GitHub. This allows GitHub to recognize our > signature and enables it to verify and display a "Valid" badge.

However, over time, circumstances change — people switch computers, hard drives can fail, or signatures might expire (as with GPG signatures, for instance). I am not taking into consideration physical keys for signature like Yubikey here, but those can also be lost or destroyed.

Consequently, a developer may need to generate a new signature and upload it to GitHub again.

Currently, in the GitHub section for my GPG, I have 5 signatures configured, but I'm not using 3 of them (although some past commits were signed with these). I'd like to tidy things up by removing them.
However, attempting to delete outdated and obsolete signatures produces the following warning (see screenshot):

This action cannot be undone. This will permanently delete the GPG key, and if you'd like to use it in the future, you will need to upload it again.

Commits you signed with this key may become unverified after removing it. Learn more about persistent commit signature verification.

Image

Looks like removing this signing key from my GitHub profile may (?) cause commits signed with it to become 'Unverified.'
Does this mean we are forever bound to retain all the signatures we've ever used, resulting in an ever-growing list of items?
Has anyone else encountered this situation?

As an answer to this question "persistent commit signature verification feature in GitHub" has been named:

Bjarte:

It used to be like that, if you rotated keys and deleted the old one, commits would show up as unverified again. But simply adding it back would again make them verified. But I think this should be solved now by the persistent commit signature verification feature in GitHub.
https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification

But I haven't tested this personally after the feature was introduced. I'm not sure how you can trigger the persistent record to be created on older commits predating this feature. If it is an old repo, there might be a risk involved with ending up with unverified commits

Would be great to get an article \ tips \ recommendation on this from appsec.

Keep the good woork and thanks!

@kjetvin
Copy link

kjetvin commented Jan 28, 2025

Another thing to note is that you can't (or at least couldn't previously) upload an expired key to Github.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dbelyaev @larskaare @kjetvin