Collaborative Working Sessions - Signature storage and sharing

• Most uses PGP keys, some uses SSH keys for commit signing (YubiKeys support HSM management of SSH keys)
• Key discovery is not always trivial
• Unclear story around how to verify signatures
• Commit signing can be hard as certain CI/CD systems either signes commits used in UI with their own key, or shows badges such as “commit verified”. This only works of the CI/CD knows about all the commit sining keys, and so can show “commit not verified” which can be false or misleading
• For package manager, Maven contains each maintainer’s public key
• Similar for many distributions (knows about maintainer’s public keys)
• Android uses an allow list of developer keys
• In general, the security of allowed keys at resit is not resilient against tampering (i.e an attack on a server)
• TUF could be used to secure trusted keys (both at rest and in transit)
• Some pacakge repositories signs the packages (can still be signed by the developer before publish, i.e multiple signatures)
• With PGP, keys can be rotated. New key N+1 can be signed with current key N. Not possible with SSH keys
• Summary (for the general case):
  • Key distribution is hard
  • No easy verification flow