Matthew GarrettAnyone out there at GitHub: could you please add support for adding an SSH CA key to a repo and then enforcing that commits be signed with a certificate signed by that CA? This is already supported in git, and would let orgs just upload their CA and enforce signatures without needing to manage keys for individual users.
James Just James@mjg59 If a company did this, and an engineer left the company, and then they changed the cert, would this break all historical verification?
@purpleidea verification is already a one shot because it needs to be marked verified even if the cert expired later
@mjg59 So if companies use this it's fine because GitHub performs and then stores that verification flag once on push, but say for anyone else down the road not using GitHub, it would not verify correctly if they didn't check when the cert still had that user in...
Am I understanding that right?
@purpleidea Eh not really - the cert is in the signature so if you have a reason to trust the cert you can independently verify that at any time