Sign arbitrary data with your SSH keys

(www.agwa.name)

637 points h1x | 1 comments | 13 Nov 21 09:13 UTC | HN request time: 1.056s | source

Show context

pizza ◴[13 Nov 21 10:03 UTC] No.29208734[source]▶

>>29208518 (OP) #

I get that they're "public" keys, but I was surprised to learn (and from somebody other than github themselves) that ssh public keys are just available at that github.com/username.keys URL (without there being an option to disable it, it seems?). Did most people already know that? Probably fine but just surprised. Just tried searching their authentication docs [0] and I don't get any results for "public key url" either

https://docs.github.com/en/authentication?query=public+key+u...

replies(26): >>29208748 #>>29208752 #>>29208754 #>>29208768 #>>29208790 #>>29208806 #>>29208828 #>>29208856 #>>29208877 #>>29208909 #>>29208990 #>>29209073 #>>29209103 #>>29209113 #>>29209243 #>>29209399 #>>29209634 #>>29210045 #>>29210085 #>>29210460 #>>29211355 #>>29211357 #>>29211783 #>>29212241 #>>29212499 #>>29213083 #

tomxor ◴[13 Nov 21 11:28 UTC] No.29209073[source]▶

>>29208734 #

I had a different concern... if people eventually start to use SSH keys to sign git commits, (as the article suggests will soon be possible), people can't validate github commit sigs with github public keys directly at one point in time... because if one is compromised, so is the other.

The only way github could be used as key distribution for this purpose would be if individuals take (and keep) a copy of every public key they are interested for future verification in-case an attacker changes it. But then I guess any public key distribution system has this problem??

replies(2): >>29209156 #>>29209270 #

1. pas ◴[13 Nov 21 11:47 UTC] No.29209156[source]▶

>>29209073 #

Ideally GitHub or any key distribution server just works as a dumb registry, the trust should flow from different systems. Of course in practice people just rely on the registry anyway.

↑