... | ... | @@ -1179,6 +1179,26 @@ Obviously, this is not quite practical and is shown only as a more |
|
|
radical example, as a stand-in for the other end of the
|
|
|
decentralization spectrum.
|
|
|
|
|
|
### Stelzer: ssh signatures
|
|
|
|
|
|
Fabian Stelzer made a [pull request for git](https://github.com/git/git/pull/1041) which was actually
|
|
|
[merged](https://github.com/git/git/commit/18c6653da0be924f83415f987d76f6813b81f086) in October 2021 and therefore might make it to 2.34. The
|
|
|
PR adds support for SSH signatures on top of the already existing
|
|
|
OpenPGP and X.509 systems that git already supports.
|
|
|
|
|
|
It does not address the above issues of "which commits to sign" or
|
|
|
"where to store keys", but it does allow users to drop the
|
|
|
OpenPGP/GnuPG dependency if they so desire. Note that there may be
|
|
|
compatibility issues with different OpenSSH releases, as the PR
|
|
|
explicitly says:
|
|
|
|
|
|
> I will add this feature in a follow up patch afterwards since the
|
|
|
> released 8.7 version has a broken ssh-keygen implementation which
|
|
|
> will break ssh signing completely.
|
|
|
|
|
|
We do not currently have plans to get rid of OpenPGP internally, but
|
|
|
it's still nice to have options.
|
|
|
|
|
|
### Other caveats
|
|
|
|
|
|
Also note that git has limited security guarantees regarding
|
... | ... | |