"Fabian Stelzer via GitGitGadget" <gitgitgadget@xxxxxxxxx> writes: > openssh 8.7 will add valid-after, valid-before options to the allowed keys > keyring. This allows us to pass the commit timestamp to the verification > call and make key rollover possible and still be able to verify older > commits. Set valid-after to the current date when adding your key to the > keyring and set valid-before to make it fail if used after a certain date. > Software like gitolite/github or corporate automation can do this > automatically when ssh push keys are addded / removed I will add this > feature in a follow up patch afterwards. Has this follow-on work happened already? The previous rounds saw enough reviews and responses, but this round didn't. Usually no response means no interest from the community, but let's see if somebody other than the author actually tried the feature, and and want to tell us about their experience, either positive or negative? As the basic step of the topic, possibly to be built upon laster, I am tempted to say that this v7 may want to be cooked in 'next' for wider exposure. I'll typofix the topmost commit before doing so, though. Thanks. 1: 4ff5911494 ! 1: b88bcd013b ssh signing: test that gpg fails for unkown keys @@ Metadata Author: Fabian Stelzer <fs@xxxxxxxxxxxx> ## Commit message ## - ssh signing: test that gpg fails for unkown keys + ssh signing: test that gpg fails for unknown keys Test that verify-commit/tag will fail when a gpg key is completely unknown. To do this we have to generate a key, use it for a signature