fsebugoutzone.org:9999

       Post Abbod2GVSLgojgrYAq by purpleidea@mastodon.social
 (DIR) More posts by purpleidea@mastodon.social
 (DIR) Post #AbbXyX9M7mNRNqBR1E by mjg59@nondeterministic.computer
       2023-11-08T18:13:05Z
       
       0 likes, 1 repeats
       
       Anyone out there at GitHub: could you please add support for adding an SSH CA key to a repo and then enforcing that commits be signed with a certificate signed by that CA? This is already supported in git, and would let orgs just upload their CA and enforce signatures without needing to manage keys for individual users.
       
 (DIR) Post #AbbZaQZ19xfzuoosK0 by soleblaze@infosec.exchange
       2023-11-08T18:31:59Z
       
       0 likes, 0 repeats
       
       @mjg59 I have commit signing enforcement on my list and so far it looks like all the solutions are various degrees of awful.
       
 (DIR) Post #AbbaUaYNCo6X79IWjw by Char@noc.social
       2023-11-08T18:40:50Z
       
       0 likes, 0 repeats
       
       @mjg59 Looks like a self-hosted Gitlab could handle it and it&#39;s marked the SaaS should too. I know gpg key signing is well supported by gitlab. https://docs.gitlab.com/ee/user/project/repository/signed_commits/x509.html
       
 (DIR) Post #AbbaqBzzBCnnKXVzBA by mjg59@nondeterministic.computer
       2023-11-08T18:45:42Z
       
       0 likes, 0 repeats
       
       @Char that only seems to support x509 and gpg, not ssh
       
 (DIR) Post #Abbb1jvpMGuVkz4m6S by vcsjones@infosec.exchange
       2023-11-08T18:46:05Z
       
       0 likes, 0 repeats
       
       @mjg59 I&#39;ve been thinking a lot about things to improve here - no timelines or concrete ideas, but this space occupies a non-empty part of my brain.
       
 (DIR) Post #AbbezoalSaVLRpYsyW by Char@noc.social
       2023-11-08T19:32:18Z
       
       0 likes, 0 repeats
       
       @mjg59 Yes. It would be convoluted converting gpg to/from ssh but possible. Although, if your goal is to have a single CA trust, you&#39;ll still have some need to manage individual user certificates. At some point might be easier distributing yubikey/nitrokey or similar.
       
 (DIR) Post #AbbkY0S6MzQhqfdICu by mjg59@nondeterministic.computer
       2023-11-08T20:34:36Z
       
       0 likes, 0 repeats
       
       @Char I have SSH certificates, gpg is absolutely a non-starter here
       
 (DIR) Post #AbbnvEzcm1ypT75EQK by purpleidea@mastodon.social
       2023-11-08T21:09:11Z
       
       0 likes, 0 repeats
       
       @mjg59 If a company did this, and an engineer left the company, and then they changed the cert, would this break all historical verification?
       
 (DIR) Post #AbboPF7Os7NaXr1hmC by mjg59@nondeterministic.computer
       2023-11-08T21:15:25Z
       
       0 likes, 0 repeats
       
       @purpleidea verification is already a one shot because it needs to be marked verified even if the cert expired later
       
 (DIR) Post #Abbod2GVSLgojgrYAq by purpleidea@mastodon.social
       2023-11-08T21:19:33Z
       
       0 likes, 0 repeats
       
       @mjg59 So if companies use this it&#39;s fine because GitHub performs and then stores that verification flag once on push, but say for anyone else down the road not using GitHub, it would not verify correctly if they didn&#39;t check when the cert still had that user in...Am I understanding that right?
       
 (DIR) Post #Abbos0oH9K6SZ9nceG by mjg59@nondeterministic.computer
       2023-11-08T21:22:52Z
       
       0 likes, 0 repeats
       
       @purpleidea Eh not really - the cert is in the signature so if you have a reason to trust the cert you can independently verify that at any time
       
 (DIR) Post #AbbtOVLtWrpSNHH1O4 by lgarron@mastodon.social
       2023-11-08T22:13:46Z
       
       0 likes, 0 repeats
       
       @mjg59 @vcsjones might know the state of things!
       
 (DIR) Post #Abbv9CRDljHlHIavnU by markphip@hachyderm.io
       2023-11-08T22:32:57Z
       
       0 likes, 0 repeats
       
       @mjg59 you can do this at the GitHub organization level https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities
       
 (DIR) Post #AbbvJbCIZLb2xnZcaO by robryk@qoto.org
       2023-11-08T22:33:01Z
       
       0 likes, 0 repeats
       
       @mjg59 How does that support in git handle expiry?
       
 (DIR) Post #Abbvvp2JZ3p4t9873w by mjg59@nondeterministic.computer
       2023-11-08T22:42:12Z
       
       0 likes, 0 repeats
       
       @robryk what do you mean?
       
 (DIR) Post #Abbw5EifRd6r9KQfWC by mjg59@nondeterministic.computer
       2023-11-08T22:42:29Z
       
       0 likes, 0 repeats
       
       @robryk oh I see - got just calls out to SSH to handle this
       
 (DIR) Post #AbbwHDuOHkxs6qd1Rg by robryk@qoto.org
       2023-11-08T22:44:05Z
       
       0 likes, 0 repeats
       
       @mjg59 SSH certs can expire. What should happen if a commit is signed with a key that had an expiring cert attached? Should we outright reject it (because the signature will become &quot;invalid&quot; for some meaning thereof in the future), accept if it&#39;s valid now, accept if it&#39;s valid at its stated commit time (and maybe enforce that commits are younger than their parents), or something else?
       
 (DIR) Post #AbbwVbvHnTgwdvuKgK by robryk@qoto.org
       2023-11-08T22:46:00Z
       
       0 likes, 0 repeats
       
       @mjg59 That has a weird effect where you cannot repush a commit that was there already, if it got gced in the meantime, and where e.g. accepting a pull request might work differently depending where the source branch is (because it either does or does not involve adding the commits).
       
 (DIR) Post #Abc1K429xHwW7hR6OW by mjg59@nondeterministic.computer
       2023-11-08T23:42:23Z
       
       0 likes, 0 repeats
       
       @markphip that enforces certificates for auth, not for signing