Skip to content

Revoking a GPG / SSH key must not invalidate existing commits signatures #35546

New issue
New issue
Open
Open
Revoking a GPG / SSH key must not invalidate existing commits signatures#35546
Labels
type/proposalThe new feature has not been accepted yet but needs to be discussed first.
@jleroy

Description

@jleroy
jleroy
opened on Sep 28, 2025

Feature Description

For security reasons, revoking a GPG / SSH key must not invalidate existing commits signatures as this discourages users to follow security best practices (immediately revoke a key when there is any doubt about a possible compromise, key rotations...).

This is the behavior adopted by GitHub: https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#persistent-commit-signature-verification

Screenshots

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    type/proposalThe new feature has not been accepted yet but needs to be discussed first.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions