Github Security: Only allow verified commit

[gsnw-sebast]

What do you think of the idea of only allowing verified commits?

It does not provide 100% security, but it could contribute to it because the GPG key must match the email address and GPG key stored in the GitHub account.

[gsnw-sebast]

Our “Rebase and Merge” method therefore breaks the verification process.

https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#signature-verification-for-rebase-and-merge

[auerswal]

I am not convinced that this is useful. Whoever controls the GitHub account can change the GPG key. Anyone can create a GPG key for any email address. It seems to me as if this would just add more work for us without significant benefit.

[gsnw-sebast]

Anyone can create a GPG key for any email address.

That's not entirely true. A verified key must match a verified email address in the GitHub account.
The user must control both the GitHub account and the email address.
But you're generally right, with any account and a free email address and matching GPG key, it always comes out as verified.

[auerswal]

Anyone can create a GPG key for any email address. Thus, they can create a new GPG key for a verified email address of the controlled GitHub account, add this key to the account, and then create and push commits using this email address. This does not require control of the email address, only control of the GitHub account.

Please describe the threat model that would be addressed by activating this feature.

[gsnw-sebast]

It was just a thought. But the longer I think about it, the fewer advantages I see in it.

[gsnw-sebast]

I hereby close the discussion.