New ask Hacker News story: Ask HN: What should happen to your signed Git commits if you revoke the GPG key?
Ask HN: What should happen to your signed Git commits if you revoke the GPG key?
5 by valera_rozuvan | 3 comments on Hacker News.
Hey there! So imagine that you have been doing a lot of open source coding, and pushing signed commits with GPG over the last couple of years. Some of the commits landing in security-critical projects. Then one day your laptop gets stolen or something, and your GPG private key gets compromised. The proper way to deal with this is to immediately revoke your key, and notify the various Internet key servers that your key has been revoked. The interesting question - what to do with your old commits that have been verified by the compromised key? At the moment, GitHub marks all your old commits as unverified. Even if you upload a new key (suppose that your master private key is still safe, and you generate a new subkey), GitHub still does not re-verify your old commits. Is this sane? What about the security-critical projects? All of a sudden they are full of unverified commits in their git history. What should be done about this? Is this a valid attack vector - having commits in Git history which are signed with a revoked GPG key? I know for a fact that some projects have strict policy of accepting only signed commits. What do they do when a key is revoked? It's not like they can just rip out all that old code from their code tree or something... --- PS: Interesting discussion on this very same issue at GitHub https://ift.tt/3p3p2Pa .
5 by valera_rozuvan | 3 comments on Hacker News.
Hey there! So imagine that you have been doing a lot of open source coding, and pushing signed commits with GPG over the last couple of years. Some of the commits landing in security-critical projects. Then one day your laptop gets stolen or something, and your GPG private key gets compromised. The proper way to deal with this is to immediately revoke your key, and notify the various Internet key servers that your key has been revoked. The interesting question - what to do with your old commits that have been verified by the compromised key? At the moment, GitHub marks all your old commits as unverified. Even if you upload a new key (suppose that your master private key is still safe, and you generate a new subkey), GitHub still does not re-verify your old commits. Is this sane? What about the security-critical projects? All of a sudden they are full of unverified commits in their git history. What should be done about this? Is this a valid attack vector - having commits in Git history which are signed with a revoked GPG key? I know for a fact that some projects have strict policy of accepting only signed commits. What do they do when a key is revoked? It's not like they can just rip out all that old code from their code tree or something... --- PS: Interesting discussion on this very same issue at GitHub https://ift.tt/3p3p2Pa .
