GitHub currently supports GPG and S/MIME signatures in the UI. Recently, git added the ability to also sign commits with SSH keys:
- ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen by FStelzer · Pull Request #1041 · git/git · GitHub
This was released with git 2.34.0.
It would be nice if GitHub would support SSH keys in a number of ways:
- Option to sign web-based merges with an SSH key, make public keys available for verification outside GitHub.
- Allow (at organization or repository level) an “allowed signers” file, either hardcoded, or via a provided URL (for verification via web UI).
- Allow (at organization or repository level) a key revocation list, either hardcoded, or via a provided URL (for verification via web UI).
- Ability to auto-generate an organization’s allowed signers from the public keys registered by its members (note that supporting valid-before/valid-after attributes might also be useful here).
- Show good/bad signatures using the above mechanisms in the web UI.
Above is a full list of features I can think of, that might be able to take advantage of SSH key signing, but any progress on the list would be very welcome