We’re considering commit signing to make it easier to audit some of our code. The idea is to have safe (offline) GPG master keys for every developer, and to create subkeys stored on Yubikeys for the actual commit signing. GitHub - drduh/YubiKey-Guide: Guide to using YubiKey for GPG and SSH is a great documentation for this.
I did some experiments with this and it turns out there is one area where results surprised me, namely subkey revocation or rotation.
Let’s assume we create signing subkeys with a limited validity of, say, 1 year to force ourselves to do regular key rotation. Or, maybe a Yubikey with a signing key is lost and we revoke that subkey in the corresponding master key. Either way, a new subkey is added to the master key and used from then on.
Now it seems commits with this new subkey are shown as “unverified” in GitHub until I create a new export of the (public) master and subkeys and register it in my account settings. At the same time, at least for a revoked subkey, previously “verified” commits will become “unverified”.
This is what it looks like in the UI after I added a new subkey, revoked the key used in the previous commit and updated the key in my account settings:
Here is the same repo, with output from
git --log --signature:
What I would like to avoid is that previously signed commits suddenly appear as unverified, since that would surely raise questions (especially if everyone gets used to commits always showing green “verified” in the normal case).
So what is the recommended approach here?
Avoid planned subkey rotation or key expiration as much as possible? Don’t revoke subkeys when the Yubikey device is lost?
Is it a conceptual problem that once a subkey becomes invalid, you cannot (with certainity) tell whether a commit signed with it was made before or after the revocation/expiration?
Would it make sense for the UI to have more detailed statuses? Not only “verified” or “unverified”, but also something like “verfied, key superseded”? There are a few reasonse that can be given when the
revkey commad is used in
gpg to revoke a subkey.