[leni536]

So Github attests that the merge was done on Github's side, but what does "commit came from a particular person" mean? Who opened the PR? Who is the author of the commits in the PR (can be impersonated)? Who are the "committers" of said commits? Who pushed the merge button?

Github doesn't put the info of who pushed the merge button into the merge commit message that it signs. I wonder what it actually attests by putting authors and coauthors into the merge commit.

edit:

The Co-authored-by fields can be trivially forged, and then Github signs it. The only question is who it acknowledges as the author. It seems to be the PR opener, from what I could gather.

[the_mitsuhiko]

It doesn’t have to because you can discover that information from the UI.

[leni536]

Signing with the github key doesn't add anything if you can verify based on UI/API anyway.

[the_mitsuhiko]

I'm not really sure I follow. Can you explain the attack vector with squash signed commits today?

[leni536]

I'm not trying to find an attack vector, I'm trying to find a threat model where relying on non-signed commits on master is insecure, but relying on commits signed by the github key is secure.

If you are looking at and trusting github UI/API anyway as part of your verification, then you might as well just look at the green "verified" badge without actually verifying the signature locally. At which point actually signing by the github key is just useless ceremony.

[the_mitsuhiko]

Again, I’m not sure I understand your point. The verification is a strong attestation by GitHub how that commit came to be. Without the verification I know absolutely nothing about the authorship of the commit.