matrixfurry.com / common
Common documentation and files across my projects
fork atom
common / docs / security.md
at main 2.7 kB view raw view code

For the most up-to-date security policy, please see matrixfurry.com/common.

Reporting#

Please report security issues via SimpleX or Email.

If you want to send an encrypted email, my public key fingerprint is DD7EB0BAA822169398828C45103DD5193B6A77CB.

Please do not report security issues on the project's issue tracker.

Commit signing#

Commit signing is optional but highly recommended. Once you make your first signed commit, all future commits must be signed.

SSH signing is preferred over PGP signing.

To enable signature verification, add your public key to your Tangled profile, and optionally the .allowed_signers file in the project's repo.

Tangled profiles should be trusted over the repo's copy, excluding revoked keys.

Setup#

Replace <YOUR_KEY> with the SSH key or keyfile you'd like to use (eg. ~/.ssh/id_ed25519).

Git:

git config --global gpg.format ssh
git config --global user.signingkey <YOUR_KEY>
git config --global commit.gpgsign true

Jujutsu:

jj config set --user signing.behavior own
jj config set --user signing.backend ssh
jj config set --user signing.key <YOUR_KEY>

Add the public key to your Tangled profile at https://tangled.org/settings/keys

Optionally, add your public key to the repo's .allowed_signers file:

  • Git: echo "$(git config user.email) $(cat ~/.ssh/id_ed25519.pub)" >> .allowed_signers
  • Jujutsu: echo "$(jj config get user.email) $(cat ~/.ssh/id_ed25519.pub)" >> .allowed_signers

Key Revocation#

Revoked keys are listed in .revoked_keys (OpenSSH KRL format). Keys must never be reinstated or removed from this file. After a revocation, you must create a new key to continue contributing to the project.

A key revocation must be signed by either:

  1. The key being revoked

    • Anyone with access to the private key can create the revocation commit

  2. A maintainer with proof of compromise

    • The maintainer must have significant evidence that the key has been compromised
    • The maintainer must attempt to reach out to the contributor to confirm
    • The commit message must provide details of why the key is being revoked

Instructions#

Add the key to the .revoked_keys file:

ssh-keygen -k -u -f .revoked_keys <PUBKEY.pub>

View the revoked keys:

ssh-keygen -Q -l -f .revoked_keys

For more information, see the ssh-keygen(1) manpage