GitHub Community
Best-pratice to revoke a OpenPGP key/subkey used in GitHub #78989
-
|
To the best of my knowledge, GitHub now verify commits that were signed with key once valid, even after the key is revoked(non-compromised) or expired. See Improved verification of historic Git commit signatures. However, directly deleting existing GPG keys still results commits which were signed turned to be unverified. Is there any official best-practice that guides users to revoke GPG keys and terminate their validation on GitHub while retaining the verfication status of previous commits? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
|
Revoking a GPG key/subkey and terminating its validation on GitHub while retaining the verification status of previous commits involves several steps: 1. Generate a revocation certificate for your GPG key if you haven't already. Please note that your previous commits and tags will show as verified, as long as the key meets all other verification requirements. However, if a key is removed, GitHub will no longer list the commits as verified. But the commits that are committed will remain signed and can be verified from the command line using |
Beta Was this translation helpful? Give feedback.
-
|
could someone elaborate on that:
I just created a revocation certificate and don't want to risk having commits becoming Also, confused on step 3. I've always used keys on local machine, does this mean we can skip sending the revoked key to key-server? |
Beta Was this translation helpful? Give feedback.
-
|
I didn't understand step 5: which key is to be addedd? is the revocation certificate? if that, is it a key? |
Beta Was this translation helpful? Give feedback.
-
|
I accidentally removed an old GPG key from GitHub, and all commits signed with that are makrked unverified. Hope there is a better solution like Gitlab's soon. |
Beta Was this translation helpful? Give feedback.
-
|
You just need to re-import the old public key, even if it is revoked or expired, GitHub will still show previous commit as signed. |
Beta Was this translation helpful? Give feedback.
Revoking a GPG key/subkey and terminating its validation on GitHub while retaining the verification status of previous commits involves several steps:
1. Generate a revocation certificate for your GPG key if you haven't already.
2. Import the revocation certificate into your keyring.
3. Send the revoked key to the key-server.
4. Remove the GPG key from GitHub.
5. Add the new key that you copied.
Please note that your previous commits and tags will show as verified, as long as the key meets all other verification requirements.
However, if a key is removed, GitHub will no longer list the commits as verified. But the commits that are committed will remain signed and can be verified from the …