[the_mitsuhiko]

Not as the creator intended, but Commit signing on GitHub is mostly an automatic thing at this point if you use pull requests and squash merges. The commits on the PR itself are unsigned, but the merge to the branch is attested and marked as signed by GitHub itself. Since you need to have permission at the time of merge, it's a rather trustworthy indication.

Here an example from Sentry's master which other than bot triggered reverts are all verified: https://github.com/getsentry/sentry/commits/master/

[leni536]

I fail to so what security you gain by trusting Github's key.

[the_mitsuhiko]

You get an attestation that the person that merged corresponds to a particular github identity. More importantly you know that at the time the person merged the commit they had a 2FA token that was valid. The only way the commit could have been forged is that at the time it took place, the user account itself was compromised.

[captn3m0]

GitHub uses fairly long-lived sessions. "sudo mode"[0] on GitHub, where it asks for a verification of the 2FA is only for sensitive actions, which PR merges are not. So a cookie-stealing attack can easily merge PRs for quite a while.

And 2FA isn't a requirement for a PR merge afaik, Except via org-wide enforcement? So the guarantee is lower - the commit was merged with a valid session token.

[0]: https://docs.github.com/en/authentication/keeping-your-accou...

[the_mitsuhiko]

If you enforce an organization to have a 2FA sign-in then yes, it's enforced that the session was created with a second factor. In Sentry's case you also need to go through SSO once every 24 hours. There is no way for you to get a valid session token without going through that which can be used to create a signed merge commit.

[leni536]

Don't you get all those guarantees by just pulling from github? I guess it's nice that you get an attestation that you can verify offline, but it feels like a marginal benefit.

[the_mitsuhiko]

> Don't you get all those guarantees by just pulling from github?

Without that information I do not know that a particular commit came from a particular person. Anyone can impersonate anyone else.

[leni536]

So Github attests that the merge was done on Github's side, but what does "commit came from a particular person" mean? Who opened the PR? Who is the author of the commits in the PR (can be impersonated)? Who are the "committers" of said commits? Who pushed the merge button?

Github doesn't put the info of who pushed the merge button into the merge commit message that it signs. I wonder what it actually attests by putting authors and coauthors into the merge commit.

edit:

The Co-authored-by fields can be trivially forged, and then Github signs it. The only question is who it acknowledges as the author. It seems to be the PR opener, from what I could gather.

[the_mitsuhiko]

It doesn’t have to because you can discover that information from the UI.