On Mon, 2021-09-13 at 19:31 +0000, Marvin Häuser wrote: > Hey Pedro, > > Same point as before really, why would an attacker have access to > your SSH key but not your GPG key? This scenario leaves out the > possibly of an HTTPS over SSH attack, in which case as a security- > aware person you use 2FA of course ( :) ), which means this is not > possible without creating a personal access token. There is very > little reason to do this at all - I never did this before, and I > don't know anyone who does this with their private or work GitHub > account (I think a few use it for CI?), at least that I know of. And > even if you need one, and you give it push rights to actually push > with, and you require GPG signatures globally, you again are keeping > those two factors at least close together, if not in the same spot.
I think the scenario in question was someone hacking into github. They can bypass your ssh login requirement without needing your key, because that's enforced by github but they can't sign your commit unless they compromise your laptop or token. There are many ways of hacking a cloud service besides simply trying to fake the login or extract the token from the user. The way we get around this in Linux is with signed tags, but github doesn't support that workflow. I still really don't think signed commits adds much, even to github, because to be informationally useful, all commits have to be signed. Plus, anyway, if the entire site is compromised there'll be bigger problems than checking commit signatures ... James -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80667): https://edk2.groups.io/g/devel/message/80667 Mute This Topic: https://groups.io/mt/85538324/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
