Matthew GarrettMar 21
Blog post about my #bsidessf talk on using SSH certificates for git signing: https://codon.org.uk/~mjg59/blog/p/ssh-certificates-and-git-signing/
SSH certificates and git signing

When you’re looking at source code it can be helpful to have some evidence indicating who wrote it. Author tags give a surface level indication, but it turns out you can just lie and if someone isn’t paying attention when merging stuff there’s certainly a risk that a commit could be merged with an author field that doesn’t represent reality. Account compromise can make this even worse - a PR being opened by a compromised user is going to be hard to distinguish from the authentic user.

Matthew Garrett's Blog
Show threadmyx
@mjg59 this is neat. Would it be sensible to try to generalize this so that the SSH cert is the general root of trust/identity? Like wedging it into RPC authentication too, or at least deriving an RPC credential from the ssh cert?
Apr 2 at 7:59amWeb
Show threadMatthew Garrett1d ago
@myx You can use an SSH cert as proof of ownership of a private key, which means you can issue any other sort of identity you want based on that. If you're ok with RPC all being over SSH then this is pretty trivial - have the remote side prove its identity via SSH certificate as well and then you have a mutally authenticated channel, and then https://mjg59.dreamwidth.org/69646.html
SSH agent extensions as an arbitrary RPC mechanism

A while back, I <a href="https://mjg59.dreamwidth.org/61232.html">wrote about using the SSH agent protocol to satisfy WebAuthn requests</a>. The main problem with this approach is that it required starting the SSH agent with a special argument and also involved being a little too friendly with the i

Dreamwidth Studios
Show threadMatthew Garrett1d ago
@myx The difficult part of this is, as always, how do you bootstrap the initial identity, and now I'm thinking a service that somehow exchanges TLS certs for SSH certs, oh no