Not as the creator intended, but Commit signing on GitHub is mostly an automatic thing at this point if you use pull requests and squash merges. The commits on the PR itself are unsigned, but the merge to the branch is attested and marked as signed by GitHub itself. Since you need to have permission at the time of merge, it's a rather trustworthy indication.
You get an attestation that the person that merged corresponds to a particular github identity. More importantly you know that at the time the person merged the commit they had a 2FA token that was valid. The only way the commit could have been forged is that at the time it took place, the user account itself was compromised.
GitHub uses fairly long-lived sessions. "sudo mode"[0] on GitHub, where it asks for a verification of the 2FA is only for sensitive actions, which PR merges are not. So a cookie-stealing attack can easily merge PRs for quite a while.
And 2FA isn't a requirement for a PR merge afaik, Except via org-wide enforcement? So the guarantee is lower - the commit was merged with a valid session token.
If you enforce an organization to have a 2FA sign-in then yes, it's enforced that the session was created with a second factor. In Sentry's case you also need to go through SSO once every 24 hours. There is no way for you to get a valid session token without going through that which can be used to create a signed merge commit.
Don't you get all those guarantees by just pulling from github? I guess it's nice that you get an attestation that you can verify offline, but it feels like a marginal benefit.
So Github attests that the merge was done on Github's side, but what does "commit came from a particular person" mean? Who opened the PR? Who is the author of the commits in the PR (can be impersonated)? Who are the "committers" of said commits? Who pushed the merge button?
Github doesn't put the info of who pushed the merge button into the merge commit message that it signs. I wonder what it actually attests by putting authors and coauthors into the merge commit.
edit:
The Co-authored-by fields can be trivially forged, and then Github signs it. The only question is who it acknowledges as the author. It seems to be the PR opener, from what I could gather.
In theory, there is a solution to the PGP revocation issue that I think vibes with OPs desire:
Generate a long-lived root keypair (SC/C), the public key of which you add to the forge. You never sign directly with this. Instead you routinely generate new signing pairs. If compromised you hopefully only need to revoke the subkey so the blast radius is a lot smaller.
You could even do a three-tier one where you can keep the root key dead cold and literally lock it into a vault.
Last time I looked, this was not supported in GitHub, though; it only recognized signatures by explicitly trusted keys, not their signed subkeys.
> Key compromise happens, key loss happens, and identities change over time.
This problem is largely solved in cryptocurrency-land. You have a hardware device that does the signing, which is recoverable from a 24 word seed that is stored offline (plus a passphrase which can be memorized or stored online so that it's not catastrophic if someone gets to your seed).
Can you be more specific about how it is absolutely not solving the problem?
To compromise a key you need to find a hidden piece of paper or engraved plate that your target has physically hidden somewhere. Plus guess a secret password (before your target has noticed you got to their seed and rang the alarm). Almost impossible to pull off.
I'm not sure what you mean about identity changing. If you mean a sex change or getting a new haircut, this is irrelevant to signing commits...
Any knowledge held by a person is retrievable with a $5 wrench. Things can get stolen, houses can burn down, bank lockers can be robbed.
Identity Changes, such as name changes, are relevant in the Web o Trust/GPG world where you typically require a valid ID proof (such as a passport) and physical presence before you sign someone's keys at a Key Signing Party.
Fire issue is solved with multiple backups or titanium engraving. Theft is solved with secret passphrase that is either memorized or stored in a separate location. The $5 wrench attack (aka kidnapping and torture) is unsolved but it is extremely rare in comparison to the much more common key leaks/theft scenario. And I don't believe any defense is really possible against that one, cryptographically or otherwise.
> Identity Changes, such as name changes, are relevant in the Web o Trust/GPG world where you typically require a valid ID proof (such as a passport) and physical presence before you sign someone's keys at a Key Signing Party.
It doesn't solve that problem but I don't think "real life" identity is really relevant for the purpose of contributing code. In fact, plenty of open source contributors are pseudonymous.
I don't know, I've never used one. Can keys stored on a Yubikey be restored from a 24 word seed + passphrase? Do Yubikeys self-destroy after 3 incorrect PINs?
No, but that's the whole point. One less avenue for exploitation. You would have to physically destroy the device, and find an exploit in the smartcard on the chip itself to obtain the private keys.
I simply include a base64-encoded PNG with the facsimile of my signature in the commit message, if I'm being really pushed to "sign my commit", it has about the same power of attestation as the cryptographic means. So far, I only had to do it once.
Here an example from Sentry's master which other than bot triggered reverts are all verified: https://github.com/getsentry/sentry/commits/master/