Message ID | pull.1041.v6.git.git.1627501009.gitgitgadget@gmail.com (mailing list archive) |
---|---|
Headers | show |
Series | ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen | expand |
On 29/07/21 02.36, Fabian Stelzer via GitGitGadget wrote: > openssh 8.7 will add valid-after, valid-before options to the allowed keys > keyring. This allows us to pass the commit timestamp to the verification > call and make key rollover possible and still be able to verify older > commits. Set valid-after=NOW when adding your key to the keyring and set > valid-before to make it fail if used after a certain date. Software like > gitolite/github or corporate automation can do this automatically when ssh > push keys are addded / removed I will add this feature in a follow up patch > afterwards. > I read above as "set valid-before=<some date> and valid-after=<now> to limit key validity for several days from now". Is it right?
On 29.07.21 10:19, Bagas Sanjaya wrote: > On 29/07/21 02.36, Fabian Stelzer via GitGitGadget wrote: >> openssh 8.7 will add valid-after, valid-before options to the allowed >> keys >> keyring. This allows us to pass the commit timestamp to the verification >> call and make key rollover possible and still be able to verify older >> commits. Set valid-after=NOW when adding your key to the keyring and set >> valid-before to make it fail if used after a certain date. Software like >> gitolite/github or corporate automation can do this automatically when >> ssh >> push keys are addded / removed I will add this feature in a follow up >> patch >> afterwards. >> > > I read above as "set valid-before=<some date> and valid-after=<now> to > limit key validity for several days from now". Is it right? > no. "NOW" is not meant literally but in the sense to add the current date when adding the key. I'll edit the description. But this feature in general will follow in a separate patchset with proper documentation anyway.