matrixfurry.com / common
Common documentation and files across my projects
fork atom
common / docs / security.md
at main 2.7 kB view raw view rendered
1For the most up-to-date security policy, please see [matrixfurry.com/common](https://tangled.org/@matrixfurry.com/common/blob/main/docs/security.md). 2 3# Reporting 4Please report security issues via [SimpleX](https://smp18.simplex.im/a#Wc2x2IBqqwzgmeGkN0XtKrGMLBxFuxmoYgkTGgGgR0M) or [Email](mailto:shiloh@shilohfen.com). 5 6> If you want to send an encrypted email, my public key fingerprint is [DD7EB0BAA822169398828C45103DD5193B6A77CB](https://keys.openpgp.org/vks/v1/by-fingerprint/DD7EB0BAA822169398828C45103DD5193B6A77CB). 7 8Please do not report security issues on the project's issue tracker. 9 10# Commit signing 11 12Commit signing is optional but highly recommended. Once you make your first signed commit, all future commits must be signed. 13 14SSH signing is preferred over PGP signing. 15 16To enable signature verification, add your public key to your Tangled profile, and optionally the `.allowed_signers` file in the project's repo. 17 18Tangled profiles should be trusted over the repo's copy, excluding revoked keys. 19 20## Setup 21Replace `<YOUR_KEY>` with the SSH key or keyfile you'd like to use (eg. `~/.ssh/id_ed25519`). 22 23Git: 24```sh 25git config --global gpg.format ssh 26git config --global user.signingkey <YOUR_KEY> 27git config --global commit.gpgsign true 28``` 29 30Jujutsu: 31```sh 32jj config set --user signing.behavior own 33jj config set --user signing.backend ssh 34jj config set --user signing.key <YOUR_KEY> 35``` 36 37Add the public key to your Tangled profile at https://tangled.org/settings/keys 38 39Optionally, add your public key to the repo's `.allowed_signers` file: 40- Git: `echo "$(git config user.email) $(cat ~/.ssh/id_ed25519.pub)" >> .allowed_signers` 41- Jujutsu: `echo "$(jj config get user.email) $(cat ~/.ssh/id_ed25519.pub)" >> .allowed_signers` 42 43## Key Revocation 44Revoked keys are listed in `.revoked_keys` ([OpenSSH KRL](https://man.openbsd.org/ssh-keygen.1#KEY_REVOCATION_LISTS) format). Keys must never be reinstated or removed from this file. After a revocation, you must create a new key to continue contributing to the project. 45 46A key revocation must be signed by either: 471. The key being revoked 48 - Anyone with access to the private key can create the revocation commit 49 502. A maintainer with proof of compromise 51 - The maintainer must have significant evidence that the key has been compromised 52 - The maintainer must attempt to reach out to the contributor to confirm 53 - The commit message must provide details of why the key is being revoked 54 55### Instructions 56 57Add the key to the `.revoked_keys` file: 58```sh 59ssh-keygen -k -u -f .revoked_keys <PUBKEY.pub> 60``` 61 62View the revoked keys: 63```sh 64ssh-keygen -Q -l -f .revoked_keys 65``` 66 67For more information, see the [ssh-keygen(1) manpage](https://man.openbsd.org/ssh-keygen.1#k)