Feedback Wanted: Persistent Commit Signature Verification (GA)

[leobalter]

Select Topic Area

Product Feedback

Body

Hi everyone!

We just released a public preview for persistent commit signature records this week, and we'd love your feedback! 🎉

With this feature, GitHub verifies commit signatures when they are first pushed. Once a commit’s signature is verified, it remains verified within its repository's network. This helps organizations maintain a secure and accurate record of contributions without needing to recheck the validity of every signature constantly.

You can view these persistent verifications directly on GitHub. Hover over the Verified badge to see the timestamp of the original verification.

Check out the docs to learn more.

If you have questions or feedback, feel free to post them here!
For bugs or deeper inquiries, please reach out to support.

[phj-incom]

Can commits made with the default GITHUB_TOKEN in a github actions workflow run now be verified by default? Or how about commits made by the GitHub REST API?

[leobalter]

No changes to commits using the default GITHUB_TOKEN, those not verified by default.

Commits made by the REST API might get verified, assuming the actor is a bot.

[cvyl]

Awesome! This will be useful for revoking personal PGP keys at my job.

[kanition]

Maybe Github has to update its tips. When I try to delete my GPG keys in settings, it still shows that

Commits you signed with this key may become unverified after removing it

But this new feature means that it will never happen from now on, right?

[aaccioly]

@leobalter, I'm late to the party. Quick question. If an old GPG subkey is compromised and I revoke it, is there a way to "refresh" the commits signed with it to show that the key has been revoked? It would be nice it the UI could show an indication that the key in question has since expired or revoked.

[leobalter]

GPG revoked keys never prevented a verification, it's decorative at its best. What caused the verification to fail was the removal of the key from GitHub.

We are exploring ways for you to confirm authenticity of your commits (and general contributions) without the need to rely on the signature metadata. The push event has proper information that can be flagged as compromised in a more reliable way and connected to commits and other contributions revolving that push event.

[aaccioly]

@leobalter, got it. Many thanks for getting back to me on this.

Purely from a git perspective, git log --show-signature and git-verify-commit provide good support for git signature statuses. See this answer on Stack Overflow.

I fully understand that GitHub is exploring alternative ways to handle revocation that may be interoperable with other key types and align better with its decision to embed the signature status in commit metadata.

Nevertheless, it would be great if GitHub could reflect the signature status according to git's output. I’d be more than happy to re-upload my GPG key if GitHub provided some indication for users about commits signed with expired keys (not commits made with an unexpired key that later expired) and commits made with a revoked key. I’d even go as far as marking commits from revoked keys as unverified in vigilant mode. See, "Y" and "R" here

https://github.com/git/git/blob/master/Documentation/pretty-formats.adoc?plain=1#L274-L281

Meanwhile, is there any sort of manual process to have a fraudulous commit marked at the moment? E.g., assume that Linus Torvalds had enough (🤣) and decides to have this spoofed commit removed from GitHub. What can he do at the moment? jayphelps/git-blame-someone-else@e5cfe4b

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐