appsec icon indicating copy to clipboard operation
appsec copied to clipboard
verified publisher icon equinor

Add section on signing key maintenance into signing guideline

Open larskaare opened this issue 1 year ago • 2 comments

  • What happens when a signing key is deleted?
  • Should signing keys be rotated?
  • How long should they be kept in the profile?

Github doc: https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#records-persist-even-after-revocation-and-expiration

larskaare avatar Dec 03 '24 11:12 larskaare

@larskaare FYI

We came across the same\relevant issue (first item in your bullet list) on our team and this question was raised recently:

Dmitriy:

Hello, folks! :slightly_smiling_face: I have a question about some routines related to signed commits.

As part of the configuration process, we upload the public part of our signature to GitHub. This allows GitHub to recognize our > signature and enables it to verify and display a "Valid" badge.

However, over time, circumstances change — people switch computers, hard drives can fail, or signatures might expire (as with GPG signatures, for instance). I am not taking into consideration physical keys for signature like Yubikey here, but those can also be lost or destroyed.

Consequently, a developer may need to generate a new signature and upload it to GitHub again.

Currently, in the GitHub section for my GPG, I have 5 signatures configured, but I'm not using 3 of them (although some past commits were signed with these). I'd like to tidy things up by removing them. However, attempting to delete outdated and obsolete signatures produces the following warning (see screenshot):

This action cannot be undone. This will permanently delete the GPG key, and if you'd like to use it in the future, you will need to upload it again.

Commits you signed with this key may become unverified after removing it. Learn more about persistent commit signature verification.

Image

Looks like removing this signing key from my GitHub profile may (?) cause commits signed with it to become 'Unverified.' Does this mean we are forever bound to retain all the signatures we've ever used, resulting in an ever-growing list of items? Has anyone else encountered this situation?

As an answer to this question "persistent commit signature verification feature in GitHub" has been named:

Bjarte:

It used to be like that, if you rotated keys and deleted the old one, commits would show up as unverified again. But simply adding it back would again make them verified. But I think this should be solved now by the persistent commit signature verification feature in GitHub. https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification

But I haven't tested this personally after the feature was introduced. I'm not sure how you can trigger the persistent record to be created on older commits predating this feature. If it is an old repo, there might be a risk involved with ending up with unverified commits

Would be great to get an article \ tips \ recommendation on this from appsec.

Keep the good woork and thanks!

dbelyaev avatar Jan 28 '25 10:01 dbelyaev

Another thing to note is that you can't (or at least couldn't previously) upload an expired key to Github.

kjetvin avatar Jan 28 '25 11:01 kjetvin