Hacker News new | past | comments | ask | show | jobs | submit login

It’s better than not signing at all, though, which appears to be the current status quo.

You can also sign with a different key than your “regular” ssh key(s), and as such reduce the chance you’ll have to replace them.

Having said that, key rotation and distribution is obviously better with GPG, and I personally have been using that for years.




Commit signing with S/MIME also works great. The downside is that you have to buy an "email" S/MIME cert from one of the usual cert gatekeepers for a couple dollars, but in return anyone can verify the signatures without exchanging public keys with me (or building a web of trust), and expiration and revocation are solved problems (including verifying signatures made with keys that are now expired, which seems not really supported with SSH keys)


You may want to check out https://github.com/sigstore/gitsign! You can generate ephemeral x509 code signing certs for free using Sigstore.

(disclosure: I'm a maintainer for gitsign)


Wow! This looks like an incredible ecosystem for managing signatures and for verifying the software artifact supply chain.


How is expiration a solved problem? You won't be able to verify commits after the cert expired without additional information because you don't know that the commit timestamp is valid. For code signing you there are timestamping services to solve this but this means that you are now dependent on a central authority which could just host verified hashes without all the crypto mess.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: