Support for verification of git SSH commit signatures

[wiktor-k]

Summary

Currently, ArgoCD supports verification of GPG signatures but ever since that was introduced git added support for a simpler scheme: SSH signatures.

git SSH signatures are now widely supported by GitHub, Gitlab, Gitea, (not mentioning the git tooling itself which introduced that).

Motivation

In some sensitive environments, signing of Git commits using digital signatures and only considering the signed ones might be a security requirement. Moreover git allows specifying allowedSignersFile that defines which keys are authorized to sign commits for the repo (there's no need for any additional special format for authorizations).

Proposal

I've checked the issue which discusses GPG signatures and I think it would be even simpler: no additional certificates/public keys are to be managed since SSH signatures contain the public keys that issued them. One thing to additionally store would probably be the allowed_signers file.

In my repositories I store that file inside the repo, so that introducing new keys can be only done using existing keys, but others may have different preferences: for example using one centralized allowed_signers file.

[hex-m]

OpenSSH supports physically protected SSH-keys by using a FIDO authenticator. FIDO authenticators are common and well supported by now - more so than devices supporting the "OpenPGP card"-standard.

This feature would make it easier to use hardware-protected private keys and thus would increase the practical security for many users.

[wiktor-k]

This sounds like a duplicate of #8733 that you've linked so I'm going to close this one.

FIDO authenticators are common and well supported by now - more so than devices supporting the "OpenPGP card"-standard.

Yes, they are also significantly cheaper than OpenPGP Card devices. (Agreed with everything else, obviously!)