Allow using SSH keys to sign commits #7744
-
Git 2.34 now supports signing commits with SSH keys instead of GPG: https://github.blog/2021-11-15-highlights-from-git-2-34/#tidbits (see the first bullet point in the "tidbits" section). It would be super cool to have this work with GitHub's existing "Verified Commit" tag, like it does with GPG keys. |
Beta Was this translation helpful? Give feedback.
Replies: 26 comments 61 replies
-
Beta Was this translation helpful? Give feedback.
-
Saves a lot of us to carry two keys instead of one. Also looks like the SSH key signature method doesn't have the "type confusion" issue of GPG |
Beta Was this translation helpful? Give feedback.
-
+1. Here's a demo commit that's got a valid signature using an SSH key: maxgoedjen/ssh_signature_demo@759243c, with a key listed in my profile Basically GitHub just doesn't read the type of keys yet, but would love for this to get added soon (I've been putting off adding GPG support to Secretive for ages, but this works great with it pretty much out of the box. In terms of verifying keys – it seems like it'd be reasonable for it to show as "verified" with any keys that have push access to your account, although personally I'd love the ability to mark specific keys as being used for push access, singing verification, or both. |
Beta Was this translation helpful? Give feedback.
-
Also, your SSH public keys are available at github.com/username.keys (unfortunately without their identifiers). This could potentially make it very easy for project maintainers to automatically create an |
Beta Was this translation helpful? Give feedback.
-
I learned about this new functionality in 2.34 from the GitHub blog, so I was quite surprised when I found out that GitHub doesn't actually support it yet. |
Beta Was this translation helpful? Give feedback.
-
+1. Also, that will remove hassle caused by GPG for Windows users like me. |
Beta Was this translation helpful? Give feedback.
-
Hi all. Thanks for this feedback because it helps us prioritize. The GitHub Repos team is also excited to see SSH commit signing support in Git. We're anxious for GitHub's commit validation to support it. Like what @farski said above, this is something that would have been great to support at the same time that Git began supporting it. We've recently expanded the GitHub Repos team and are still hiring to be more capable of that in the future. This issue is on our near-term backlog, but in full disclosure, we probably won't start working on it for 2-4 months. Commit security is an area that we want to give extra attention to during the next several months. @maxgoedjen, thanks for the good ideas about key management. If anyone has other suggestions on how repository or commit security can be improved, we'd love to hear them. We appreciate your perspective and knowing what is most important to you. |
Beta Was this translation helpful? Give feedback.
-
When this is implemented, it would be nice to be able to add keys which are trusted for signing but not trusted for pushing, instead of having a single list. |
Beta Was this translation helpful? Give feedback.
-
Our org (using GitHub enterprise) would love to introduce required commit signing to all protected branches, but has only done so for a few security-sensitive repos, since rolling out GPG commit signing across the org is so cumbersome. Support for SSH commit signing in GitHub repos would be so helpful. |
Beta Was this translation helpful? Give feedback.
-
Some thoughts on what might be some useful features here:
|
Beta Was this translation helpful? Give feedback.
-
Hi there, a quick note on this topic -- the current behavior is
This creates the perverse incentive to disable signing of commits in order to avoid the false message to users that a repo contains malicious commits. In other words, this is making software security strictly worse. While I understand that it will take some time for GH to show a "Verified" badge, could the hopefully-simpler change to show no badge for SSH-signed commits be made sooner? |
Beta Was this translation helpful? Give feedback.
-
Any updates on this? |
Beta Was this translation helpful? Give feedback.
-
I'm not sure if this has already been suggested, but I would appreciate a way to mark SSH and GPG keys as obsolete or revoked, such that commits made before they're marked obsolete remain Verified, but future commits made with the key are not, and the obsolete keys don't show up on https://github.com/JonahAragon.keys or https://github.com/JonahAragon.gpg. It'd be especially handy once SSH signing here rolls out, so I can 'remove' my GPG keys from my account without unverifying every commit I've made in the past 2 years or so. |
Beta Was this translation helpful? Give feedback.
-
https://github.blog/changelog/2022-08-23-ssh-commit-verification-now-supported/ 🎊 |
Beta Was this translation helpful? Give feedback.
-
Update: fixed it; if you intend to use ssh-signed commits, you must create an empty
|
Beta Was this translation helpful? Give feedback.
-
Does the signature verification work with SSH CAs, which are supported in GitHub Enterprise, and if so is there an option to require the commit to be signed by a key that is certified by the repo’s org’s SSH key? Ideally I’d want the commits to be signed by an OpenSSH 8.2+ FIDO U2F ed25519-sk key certified by the CA key with a short-lived certificate so a stolen or lost Yubikey is not an issue. |
Beta Was this translation helpful? Give feedback.
-
Thank you very much for this long awaited SSH signing feature! Would it be possible in the future to implement some kind of isolation of the SSH signing key to specific repositories only? I'm thinking more in a solution to the problem of an untrusted remote machine in which you manage a specific repository (usually through an SSH deploy key). |
Beta Was this translation helpful? Give feedback.
-
Thank you for this feature! Do you have estimations when it will be available in GitHub Enterprise? |
Beta Was this translation helpful? Give feedback.
-
Thank you for the feature! I get no errors but I don't see a Verified icon on my commits either. Am I missing something? Unfortunately cannot show it to you so far, it's a private repo. |
Beta Was this translation helpful? Give feedback.
-
Will the rest API endpoint for creating an ssh key be updated to accept a ssh key type (auth/signing)? https://docs.github.com/en/rest/users/keys#create-a-public-ssh-key-for-the-authenticated-user |
Beta Was this translation helpful? Give feedback.
-
Include the signing keys with auth keys under https://github.com/user.keys it would be nice. I don't think there will be security implications. |
Beta Was this translation helpful? Give feedback.
-
Are FIDO SSH keys supported? I added a signing key to my account and pushed a commit that was signed using a FIDO key, but it shows up as "unverified" in the Github UI: openssh/openssh-portable@3a683a1 Verifying locally works fine:
|
Beta Was this translation helpful? Give feedback.
Hi all. Thanks for this feedback because it helps us prioritize. The GitHub Repos team is also excited to see SSH commit signing support in Git. We're anxious for GitHub's commit validation to support it. Like what @farski said above, this is something that would have been great to support at the same time that Git began supporting it. We've recently expanded the GitHub Repos team and are still hiring to be more capable of that in the future. This issue is on our near-term backlog, but in full disclosure, we probably won't start working on it for 2-4 months. Commit security is an area that we want to give extra attention to during the next several months. @maxgoedjen, thanks for the good …