GPG support? (like SSH)

New Contributor

10 months ago

Big +1

SSH commit signing is fine until you need to rotate keys. Revoking a GPG key will continue to show commits in GitHub (unsure about GitLab) as "verified (expired)". The only way I've found to do the same with SSH keys is to remove the old key completely, but then commits show as "unverified" which defeats the point of supply chain integrity since it's not possible to distinguish a commit that was signed with an old key, or a commit that was not signed, or signed with another key that's not allowed.

The alternative is to not rotate signing keys, but then you compromise supply chain integrity further by not ensuring keys are rotated in a timely fashion.

Forum Discussion

Recent Discussions

WSL2 Arm Build

Creating blank entries for generic secrets

SSH-Agent and Touch-ID per Session

macOS 26 beta browser extension very slow to open

op item list --tags a,b returns union not intersection