![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
kiya) wrote2026-03-21 06:54 pm
![[syndicated profile]](https://www.dreamwidth.org/img/silk/identity/feed.png){kind=small}
dotaturls_feed) wrote2026-03-21 05:25 amkaberett) wrote2026-03-21 10:12 pmToday was A Travel Day; yesterday, in preparation for same, I Ran Errands, including "acquiring Tiny Cake" and "visiting the pharmacy".
On the way from those two jobs to the next couple, I passed Several Good Things.
One was a new-to-me flavour of completely ridiculous daffodil:
It's a double not in the sense of having a confusing froth of intermingled trumpets (as of Double Fashion or Double Camparnelle, both of which exist locally), but in the sense of having two nested trumpets, one shorter and orange, from which the longer white one protrudes. I have never! previously! seen a thing like this! I am really enjoying my current streak of encountering varieties of daffodil that make me go "what the fuck???"
Shortly thereafter I checked over my shoulder while crossing a tiny bridge and was startled and delighted to see A COOT UPON THE NEST that, last I passed it, was clearly still derelict. Obviously I went back and Gazed Upon It for Some Time and was eventually rewarded by it STANDING UP to reveal SEVEN??? (possibly) EGGS!!!
And the Egyptian goslings were peeping about the place when I subsequently passed them on my way back up the hill. A+ errands would run again.
mjg59_codon_feed) wrote2026-03-21 12:38 pmWhen you’re looking at source code it can be helpful to have some evidence indicating who wrote it. Author tags give a surface level indication, but it turns out you can just lie and if someone isn’t paying attention when merging stuff there’s certainly a risk that a commit could be merged with an author field that doesn’t represent reality. Account compromise can make this even worse - a PR being opened by a compromised user is going to be hard to distinguish from the authentic user. In a world where supply chain security is an increasing concern, it’s easy to understand why people would want more evidence that code was actually written by the person it’s attributed to.
git has support for cryptographically signing commits and tags. Because git is about choice even if Linux isn’t, you can do this signing with OpenPGP keys, X.509 certificates, or SSH keys. You’re probably going to be unsurprised about my feelings around OpenPGP and the web of trust, and X.509 certificates are an absolute nightmare. That leaves SSH keys, but bare cryptographic keys aren’t terribly helpful in isolation - you need some way to make a determination about which keys you trust. If you’re using someting like GitHub you can extract that information from the set of keys associated with a user account1, but that means that a compromised GitHub account is now also a way to alter the set of trusted keys and also when was the last time you audited your keys and how certain are you that every trusted key there is still 100% under your control? Surely there’s a better way.
And, thankfully, there is. OpenSSH supports certificates, an SSH public key that’s been signed by some trusted party and so now you can assert that it’s trustworthy in some form. SSH Certificates also contain metadata in the form of Principals, a list of identities that the trusted party included in the certificate. These might simply be usernames, but they might also provide information about group membership. There’s also, unsurprisingly, native support in SSH for forwarding them (using the agent forwarding protocol), so you can keep your keys on your local system, ssh into your actual dev system, and have access to them without any additional complexity.
And, wonderfully, you can use them in git! Let’s find out how.
There’s two main parameters you need to set. First,
|
|
because unfortunately for historical reasons all the git signing config is
under the gpg namespace even if you’re not using OpenPGP. Yes, this makes
me sad. But you’re also going to need something else. Either
user.signingkey needs to be set to the path of your certificate, or you
need to set gpg.ssh.defaultKeyCommand to a command that will talk to an
SSH agent and find the certificate for you (this can be helpful if it’s
stored on a smartcard or something rather than on disk). Thankfully for you,
I’ve written one. It will
talk to an SSH agent (either whatever’s pointed at by the SSH_AUTH_SOCK
environment variable or with the -agent argument), find a certificate
signed with the key provided with the -ca argument, and then pass that
back to git. Now you can simply pass -S to git commit and various other
commands, and you’ll have a signature.
This is a bit more annoying. Using native git tooling ends up calling out to
ssh-keygen2, which validates signatures against a file in a format
that looks somewhat like authorized-keys. This lets you add something like:
|
|
which will match all principals (the wildcard) and succeed if the signature is made with a certificate that’s signed by the key following cert-authority. I recommend you don’t read the code that does this in git because I made that mistake myself, but it does work. Unfortunately it doesn’t provide a lot of granularity around things like “Does the certificate need to be valid at this specific time” and “Should the user only be able to modify specific files” and that kind of thing, but also if you’re using GitHub or GitLab you wouldn’t need to do this at all because they’ll just do this magically and put a “verified” tag against anything with a valid signature, right?
Haha. No.
Unfortunately while both GitHub and GitLab support using SSH certificates
for authentication (so a user can’t push to a repo unless they have a
certificate signed by the configured CA), there’s currently no way to say
“Trust all commits with an SSH certificate signed by this CA”. I am unclear
on why. So, I wrote my
own. It takes a range of
commits, and verifies that each one is signed with either a certificate
signed by the key in CA_PUB_KEY or (optionally) an OpenPGP key provided in
ALLOWED_PGP_KEYS. Why OpenPGP? Because even if you sign all of your own
commits with an SSH certificate, anyone using the API or web interface will
end up with their commits signed by an OpenPGP key, and if you want to have
those commits validate you’ll need to handle that.
In any case, this should be easy enough to integrate into whatever CI pipeline you have. This is currently very much a proof of concept and I wouldn’t recommend deploying it anywhere, but I am interested in merging support for additional policy around things like expiry dates or group membership.
Of course, certificates don’t buy you any additional security if an attacker is able to steal your private key material - they can steal the certificate at the same time. This can be avoided on almost all modern hardware by storing the private key in a separate cryptographic coprocessor - a Trusted Platform Module on PCs, or the Secure Enclave on Macs. If you’re on a Mac then Secretive has been around for some time, but things are a little harder on Windows and Linux - there’s various things you can do with PKCS#11 but you’ll hate yourself even more than you’ll hate me for suggesting it in the first place, and there’s ssh-tpm-agent except it’s Linux only and quite tied to Linux.
So, obviously, I wrote my own. This makes use of the go-attestation library my team at Google wrote, and is able to generate TPM-backed keys and export them over the SSH agent protocol. It’s also able to proxy requests back to an existing agent, so you can just have it take care of your TPM-backed keys and continue using your existing agent for everything else. In theory it should also work on Windows3 but this is all in preparation for a talk I only found out I was giving about two weeks beforehand, so I haven’t actually had time to test anything other than that it builds.
And, delightfully, because the agent protocol doesn’t care about where the keys are actually stored, this still works just fine with forwarding - you can ssh into a remote system and sign something using a private key that’s stored in your local TPM or Secure Enclave. Remote use can be as transparent as local use.
Ah yes you may be wondering why I’m using go-attestation and why the term “attestation” is in my agent’s name. It’s because when I’m generating the key I’m also generating all the artifacts required to prove that the key was generated on a particular TPM. I haven’t actually implemented the other end of that yet, but if implemented this would allow you to verify that a key was generated in hardware before you issue it with an SSH certificate - and in an age of agentic bots accidentally exfiltrating whatever they find on disk, that gives you a lot more confidence that a commit was signed on hardware you own.
Using SSH certificates for git commit signing is great - the tooling is a bit rough but otherwise they’re basically better than every other alternative, and also if you already have infrastructure for issuing SSH certificates then you can just reuse it4 and everyone wins.
Did you know you can just download people’s SSH pubkeys from github from https://github.com/<username>.keys? Now you do ↩︎
Yes it is somewhat confusing that the keygen command does things
other than generate keys ↩︎
This is more difficult than it sounds ↩︎
And if you don’t, by implementing this you now have infrastructure for issuing SSH certificates and can use that for SSH authentication as well. ↩︎
spiralsheep) wrote2026-03-21 07:00 pmdotaturls_feed) wrote2026-03-21 01:00 amkiya) wrote2026-03-21 02:30 pmdolorosa_12) wrote2026-03-21 05:52 pmgoodbyebird's mostly good news links roundup. There's some fantastic environmental and sociopolitical news there.![[instagram.com profile]](https://www.dreamwidth.org/img/profile_icons/instagram.png){kind=icon}
wisdm, in which he styles the celestial bodies of the solar system in high fashion clothing, to be breathtakingly good. oursin) wrote2026-03-21 04:44 pmAnd I don't think I've had Edna before??
We were very tired, we were very merry—
We had gone back and forth all night on the ferry.
It was bare and bright, and smelled like a stable—
But we looked into a fire, we leaned across a table,
We lay on a hill-top underneath the moon;
And the whistles kept blowing, and the dawn came soon.
We were very tired, we were very merry—
We had gone back and forth all night on the ferry;
And you ate an apple, and I ate a pear,
From a dozen of each we had bought somewhere;
And the sky went wan, and the wind came cold,
And the sun rose dripping, a bucketful of gold.
We were very tired, we were very merry,
We had gone back and forth all night on the ferry.
We hailed, “Good morrow, mother!” to a shawl-covered head,
And bought a morning paper, which neither of us read;
And she wept, “God bless you!” for the apples and pears,
And we gave her all our money but our subway fares.
dotaturls_feed) wrote2026-03-20 08:37 pmsmbc_comics_feed) wrote2026-03-21 11:20 amskygiants) wrote2026-03-21 10:22 amjames_davis_nicoll) wrote2026-03-21 08:56 am
Which of these look interesting?
The Siren by Tomi Adeyemi (October 2026)
8 (22.2%)
Twined Fates: Tangled Hearts, Book Three by K. Bromberg (October 2026)
0 (0.0%)
Light of the Song by Joyce Ch’Ng (September 2025)
8 (22.2%)
The First Flame by Lily Berlin Dodd (November 2026)
1 (2.8%)
A Destiny So Cruel by Amanda Foody & C. L. Herman (November 2026)
1 (2.8%)
Find Me Where It Ends by Cassandra Khaw (October 2026)
11 (30.6%)
Bad Company by Sara Paretsky (November 2026)
7 (19.4%)
The Kings’ List by Jade Presley (May 2026)
2 (5.6%)
My Unfamiliar by Mara Rutherford (December 2026)
8 (22.2%)
Ghosted by Talia Tucker (November 2026)
3 (8.3%)
The Mystic and the Missing Girl by Vikki Vansickle (September 2026)
6 (16.7%)
The Scarlet Ball by Nghi Vo (October 2026)
12 (33.3%)
Chosen Son by Adrienne Young (November 2026)
2 (5.6%)
Some other option (see comments)
0 (0.0%)
Cats!
29 (80.6%)
dotaturls_feed) wrote2026-03-19 10:20 pmdotaturls_feed) wrote2026-03-21 01:24 amweofodthignen) wrote2026-03-20 11:56 pmmuccamukk) wrote2026-03-20 07:28 pmjulian) wrote2026-03-20 07:59 pmbadfaun here, who lives over in Seattle, and who I have known for uh, 20 years now?, who's in the late stages of metastatic breast cancer, that spread to her brain, and is now in the cerebro spinal fluid, which is impressive in its inventiveness and staying power if nothing else.aerynvale, who's been a rock in all this.julian) wrote2026-03-20 06:01 pm