Support for SSH-signed commits

GitHub currently supports GPG and S/MIME signatures in the UI. Recently, git added the ability to also sign commits with SSH keys:

This was released with git 2.34.0.

It would be nice if GitHub would support SSH keys in a number of ways:

  1. Option to sign web-based merges with an SSH key, make public keys available for verification outside GitHub.
  2. Allow (at organization or repository level) an “allowed signers” file, either hardcoded, or via a provided URL (for verification via web UI).
  3. Allow (at organization or repository level) a key revocation list, either hardcoded, or via a provided URL (for verification via web UI).
  4. Ability to auto-generate an organization’s allowed signers from the public keys registered by its members (note that supporting valid-before/valid-after attributes might also be useful here).
  5. Show good/bad signatures using the above mechanisms in the web UI.

Above is a full list of features I can think of, that might be able to take advantage of SSH key signing, but any progress on the list would be very welcome :slight_smile:

Thanks,
Gary.

7 Likes

It seems that GitHub engineers pay more attention to github/feedback, I added a comment to Allow using SSH keys to sign commits · Discussion #7744 · github/feedback · GitHub - interested people should probably follow that discussion.