GPG support? (like SSH)

New Contributor

5 months ago

Big +1

SSH commit signing is fine until you need to rotate keys. Revoking a GPG key will continue to show commits in GitHub (unsure about GitLab) as "verified (expired)". The only way I've found to do the same with SSH keys is to remove the old key completely, but then commits show as "unverified" which defeats the point of supply chain integrity since it's not possible to distinguish a commit that was signed with an old key, or a commit that was not signed, or signed with another key that's not allowed.

The alternative is to not rotate signing keys, but then you compromise supply chain integrity further by not ensuring keys are rotated in a timely fashion.

Forum Discussion

Recent Discussions

Revoked service accounts

my 1password cli can't connect the app

IP list for SCIM bridge?

Give preference to 1p ssh key defined in git config

1Password SSH Agent how to set specific ssh key