Commit signing in 2023 is kinda wack
lobi.toNot as the creator intended, but Commit signing on GitHub is mostly an automatic thing at this point if you use pull requests and squash merges. The commits on the PR itself are unsigned, but the merge to the branch is attested and marked as signed by GitHub itself. Since you need to have permission at the time of merge, it's a rather trustworthy indication.
Here an example from Sentry's master which other than bot triggered reverts are all verified: https://github.com/getsentry/sentry/commits/master/
I fail to so what security you gain by trusting Github's key.
You get an attestation that the person that merged corresponds to a particular github identity. More importantly you know that at the time the person merged the commit they had a 2FA token that was valid. The only way the commit could have been forged is that at the time it took place, the user account itself was compromised.
GitHub uses fairly long-lived sessions. "sudo mode"[0] on GitHub, where it asks for a verification of the 2FA is only for sensitive actions, which PR merges are not. So a cookie-stealing attack can easily merge PRs for quite a while.
And 2FA isn't a requirement for a PR merge afaik, Except via org-wide enforcement? So the guarantee is lower - the commit was merged with a valid session token.
[0]: https://docs.github.com/en/authentication/keeping-your-accou...
If you enforce an organization to have a 2FA sign-in then yes, it's enforced that the session was created with a second factor. In Sentry's case you also need to go through SSO once every 24 hours. There is no way for you to get a valid session token without going through that which can be used to create a signed merge commit.
Don't you get all those guarantees by just pulling from github? I guess it's nice that you get an attestation that you can verify offline, but it feels like a marginal benefit.
> Don't you get all those guarantees by just pulling from github?
Without that information I do not know that a particular commit came from a particular person. Anyone can impersonate anyone else.
So Github attests that the merge was done on Github's side, but what does "commit came from a particular person" mean? Who opened the PR? Who is the author of the commits in the PR (can be impersonated)? Who are the "committers" of said commits? Who pushed the merge button?
Github doesn't put the info of who pushed the merge button into the merge commit message that it signs. I wonder what it actually attests by putting authors and coauthors into the merge commit.
edit:
The Co-authored-by fields can be trivially forged, and then Github signs it. The only question is who it acknowledges as the author. It seems to be the PR opener, from what I could gather.
It doesn’t have to because you can discover that information from the UI.
Signing with the github key doesn't add anything if you can verify based on UI/API anyway.
I'm not really sure I follow. Can you explain the attack vector with squash signed commits today?
I'm not trying to find an attack vector, I'm trying to find a threat model where relying on non-signed commits on master is insecure, but relying on commits signed by the github key is secure.
If you are looking at and trusting github UI/API anyway as part of your verification, then you might as well just look at the green "verified" badge without actually verifying the signature locally. At which point actually signing by the github key is just useless ceremony.
Again, I’m not sure I understand your point. The verification is a strong attestation by GitHub how that commit came to be. Without the verification I know absolutely nothing about the authorship of the commit.
In theory, there is a solution to the PGP revocation issue that I think vibes with OPs desire:
Generate a long-lived root keypair (SC/C), the public key of which you add to the forge. You never sign directly with this. Instead you routinely generate new signing pairs. If compromised you hopefully only need to revoke the subkey so the blast radius is a lot smaller.
You could even do a three-tier one where you can keep the root key dead cold and literally lock it into a vault.
Last time I looked, this was not supported in GitHub, though; it only recognized signatures by explicitly trusted keys, not their signed subkeys.
> Key compromise happens, key loss happens, and identities change over time.
This problem is largely solved in cryptocurrency-land. You have a hardware device that does the signing, which is recoverable from a 24 word seed that is stored offline (plus a passphrase which can be memorized or stored online so that it's not catastrophic if someone gets to your seed).
I just found out that Ledger actually supports SSH/PGP: https://support.ledger.com/article/115005200649-zd
This is absolutely not solving the problem, it's at best kicking it down the road and doesn't solve the key getting compromised or identity changing.
Can you be more specific about how it is absolutely not solving the problem?
To compromise a key you need to find a hidden piece of paper or engraved plate that your target has physically hidden somewhere. Plus guess a secret password (before your target has noticed you got to their seed and rang the alarm). Almost impossible to pull off.
I'm not sure what you mean about identity changing. If you mean a sex change or getting a new haircut, this is irrelevant to signing commits...
Any knowledge held by a person is retrievable with a $5 wrench. Things can get stolen, houses can burn down, bank lockers can be robbed.
Identity Changes, such as name changes, are relevant in the Web o Trust/GPG world where you typically require a valid ID proof (such as a passport) and physical presence before you sign someone's keys at a Key Signing Party.
Fire issue is solved with multiple backups or titanium engraving. Theft is solved with secret passphrase that is either memorized or stored in a separate location. The $5 wrench attack (aka kidnapping and torture) is unsolved but it is extremely rare in comparison to the much more common key leaks/theft scenario. And I don't believe any defense is really possible against that one, cryptographically or otherwise.
> Identity Changes, such as name changes, are relevant in the Web o Trust/GPG world where you typically require a valid ID proof (such as a passport) and physical presence before you sign someone's keys at a Key Signing Party.
It doesn't solve that problem but I don't think "real life" identity is really relevant for the purpose of contributing code. In fact, plenty of open source contributors are pseudonymous.
It’s kind of a solved problem too, Julian Assange even worked on a file system called Rubberhose - https://en.m.wikipedia.org/wiki/Deniable_encryption
It's also a feature of crypto wallets like Ledger which allow you to have a decoy PIN that unlocks a throw away wallet.
How is this any different from just using a Yubikey?
I fail to see how cryptocurrencies are in any way unique in this regard.
I don't know, I've never used one. Can keys stored on a Yubikey be restored from a 24 word seed + passphrase? Do Yubikeys self-destroy after 3 incorrect PINs?
No, but that's the whole point. One less avenue for exploitation. You would have to physically destroy the device, and find an exploit in the smartcard on the chip itself to obtain the private keys.
Then it doesn't solve the "key loss happens" problem. You lose/break/damage your device and your keys are gone.
You're supposed to register more than one key, and leave the other on standby.
A common practice is one Yubikey on your keyring, another left at home (optionally left in your Desktop or a computer that doesn't leave the house)
I simply include a base64-encoded PNG with the facsimile of my signature in the commit message, if I'm being really pushed to "sign my commit", it has about the same power of attestation as the cryptographic means. So far, I only had to do it once.
Why is this written so poorly?