For the most up-to-date security policy, please see [matrixfurry.com/common](https://tangled.org/@matrixfurry.com/common/blob/main/docs/security.md).

# Reporting
Please report security issues via [SimpleX](https://smp18.simplex.im/a#Wc2x2IBqqwzgmeGkN0XtKrGMLBxFuxmoYgkTGgGgR0M) or [Email](mailto:shiloh@shilohfen.com).

> If you want to send an encrypted email, my public key fingerprint is [DD7EB0BAA822169398828C45103DD5193B6A77CB](https://keys.openpgp.org/vks/v1/by-fingerprint/DD7EB0BAA822169398828C45103DD5193B6A77CB).

Please do not report security issues on the project's issue tracker.

# Commit signing

Commit signing is optional but highly recommended. Once you make your first signed commit, all future commits must be signed.

SSH signing is preferred over PGP signing.

To enable signature verification, add your public key to your Tangled profile, and optionally the `.allowed_signers` file in the project's repo.

Tangled profiles should be trusted over the repo's copy, excluding revoked keys.

## Setup
Replace `<YOUR_KEY>` with the SSH key or keyfile you'd like to use (eg. `~/.ssh/id_ed25519`).

Git:
```sh
git config --global gpg.format ssh
git config --global user.signingkey <YOUR_KEY>
git config --global commit.gpgsign true
```

Jujutsu:
```sh
jj config set --user signing.behavior own
jj config set --user signing.backend ssh
jj config set --user signing.key <YOUR_KEY>
```

Add the public key to your Tangled profile at https://tangled.org/settings/keys

Optionally, add your public key to the repo's `.allowed_signers` file:
- Git: `echo "$(git config user.email) $(cat ~/.ssh/id_ed25519.pub)" >> .allowed_signers`
- Jujutsu: `echo "$(jj config get user.email) $(cat ~/.ssh/id_ed25519.pub)" >> .allowed_signers`

## Key Revocation
Revoked keys are listed in `.revoked_keys` ([OpenSSH KRL](https://man.openbsd.org/ssh-keygen.1#KEY_REVOCATION_LISTS) format). Keys must never be reinstated or removed from this file. After a revocation, you must create a new key to continue contributing to the project.

A key revocation must be signed by either:
1. The key being revoked
   - Anyone with access to the private key can create the revocation commit

2. A maintainer with proof of compromise
   - The maintainer must have significant evidence that the key has been compromised
   - The maintainer must attempt to reach out to the contributor to confirm
   - The commit message must provide details of why the key is being revoked

### Instructions

Add the key to the `.revoked_keys` file:
```sh
ssh-keygen -k -u -f .revoked_keys <PUBKEY.pub>
```

View the revoked keys:
```sh
ssh-keygen -Q -l -f .revoked_keys
```

For more information, see the [ssh-keygen(1) manpage](https://man.openbsd.org/ssh-keygen.1#k)