Feedback Wanted: Persistent Commit Signature Verification (GA)

[leobalter]

Select Topic Area

Product Feedback

Body

Hi everyone!

We just released a public preview for persistent commit signature records this week, and we'd love your feedback! 🎉

With this feature, GitHub verifies commit signatures when they are first pushed. Once a commit’s signature is verified, it remains verified within its repository's network. This helps organizations maintain a secure and accurate record of contributions without needing to recheck the validity of every signature constantly.

You can view these persistent verifications directly on GitHub. Hover over the Verified badge to see the timestamp of the original verification.

Check out the docs to learn more.

If you have questions or feedback, feel free to post them here!
For bugs or deeper inquiries, please reach out to support.

[phj-incom]

Can commits made with the default GITHUB_TOKEN in a github actions workflow run now be verified by default? Or how about commits made by the GitHub REST API?

[leobalter]

No changes to commits using the default GITHUB_TOKEN, those not verified by default.

Commits made by the REST API might get verified, assuming the actor is a bot.

[cvyl]

Awesome! This will be useful for revoking personal PGP keys at my job.

[kanition]

Maybe Github has to update its tips. When I try to delete my GPG keys in settings, it still shows that

Commits you signed with this key may become unverified after removing it

But this new feature means that it will never happen from now on, right?

[aaccioly]

@leobalter, I'm late to the party. Quick question. If an old GPG subkey is compromised and I revoke it, is there a way to "refresh" the commits signed with it to show that the key has been revoked? It would be nice it the UI could show an indication that the key in question has since expired or revoked.

[leobalter]

GPG revoked keys never prevented a verification, it's decorative at its best. What caused the verification to fail was the removal of the key from GitHub.

We are exploring ways for you to confirm authenticity of your commits (and general contributions) without the need to rely on the signature metadata. The push event has proper information that can be flagged as compromised in a more reliable way and connected to commits and other contributions revolving that push event.

[aaccioly]

@leobalter, got it. Many thanks for getting back to me on this.

Purely from a git perspective, git log --show-signature and git-verify-commit provide good support for git signature statuses. See this answer on Stack Overflow.

I fully understand that GitHub is exploring alternative ways to handle revocation that may be interoperable with other key types and align better with its decision to embed the signature status in commit metadata.

Nevertheless, it would be great if GitHub could reflect the signature status according to git's output. I’d be more than happy to re-upload my GPG key if GitHub provided some indication for users about commits signed with expired keys (not commits made with an unexpired key that later expired) and commits made with a revoked key. I’d even go as far as marking commits from revoked keys as unverified in vigilant mode. See, "Y" and "R" here

https://github.com/git/git/blob/master/Documentation/pretty-formats.adoc?plain=1#L274-L281

Meanwhile, is there any sort of manual process to have a fraudulous commit marked at the moment? E.g., assume that Linus Torvalds had enough (🤣) and decides to have this spoofed commit removed from GitHub. What can he do at the moment? jayphelps/git-blame-someone-else@e5cfe4b