Forum Discussion

XIII

Super Contributor

4 years ago

GPG support? (like SSH)

Would it be possible to add similar support for GPG keys?

SSH

froazin

New Contributor

1 year ago

Big +1

SSH commit signing is fine until you need to rotate keys. Revoking a GPG key will continue to show commits in GitHub (unsure about GitLab) as "verified (expired)". The only way I've found to do the same with SSH keys is to remove the old key completely, but then commits show as "unverified" which defeats the point of supply chain integrity since it's not possible to distinguish a commit that was signed with an old key, or a commit that was not signed, or signed with another key that's not allowed.

The alternative is to not rotate signing keys, but then you compromise supply chain integrity further by not ensuring keys are rotated in a timely fashion.

ragectl
Occasional Contributor
1 month ago
The issue with SSH keys is they have no idea of a trust history, so they are not related in a way that GPG keys might be.
Having said that, if you keep your previous SSH keys in your allowed_signes file and don't delete them from your preferred git forge then those old SSH keys should remain listed as verified also.
Whether people trust signed commits or not is an exercise entirely for end user, they might not have your GPG keys trusted either.

Forum Discussion

GPG support? (like SSH)

Featured discussions

December 2025 at 1Password: More browser options, easier sign-in, and safer saving and filling

Recent discussions

Meet the 1Password team at KubeCon Europe

1Password Environments Beta is awesome

Critical: op item move caused loss of OTP field (irrecoverable 2FA data)

1password input focus lag with lots of inputs

SSH Agent Forwarding to Remote Mac