Allow archival of GPG keys #14008

nskobelevs · 2022-03-31T20:14:16Z

nskobelevs
Mar 31, 2022

If you change computers often or perform routine wipes your GitHub account will be full of a bunch of GPG keys which become hard to manage and keep track of.

My suggestion is the ability of "archive" a GPG key. This will hide the GPG key from the default screen while still keeping all the signed commits in your history but also prevent stop any new commits from being verified when signed with that key.

I'm not 100% on the details but it would be a nice way to clean up old GPG keys that you don't use anymore but don't want to delete (to keep the commits verified)

off-topic: it would also be nice to be able to give the key's an associated name to keep track of them!

Xevion · 2023-02-09T09:29:53Z

Xevion
Feb 9, 2023

I agree. It's very annoying that I can't delete, get rid of or somehow 'disable' old GPG keys without making all of my thousands of verified commits... unverified.

GitLab has the ability to do this - by deleting a GPG key, it won't verify new commits, but old commits won't be unverified.
In the case that the GPG key is exposed and used maliciously, it can be revoked, where commits will be marked as unverified.

This is one of the very few times where GitLab's free functionality outplays GitHub pretty well.

1 reply

Samuca0800 May 22, 2023

vlw

MrDOS · 2023-05-22T11:23:52Z

MrDOS
May 22, 2023

I think this is a duplicate of https://github.com/orgs/community/discussions/12884.

1 reply

Xevion May 22, 2023

By 15 days - yet this one has more votes and more discussion.

DNin01 · 2023-06-09T20:40:55Z

DNin01
Jun 9, 2023

I believe that now you can delete old GPG keys without the commits becoming "Unverified": https://github.blog/changelog/2022-05-31-improved-verification-of-historic-git-commit-signatures/

1 reply

nskobelevs Jun 9, 2023
Author

I think this article is referring to something else.

I think "revoke" in this context means to revoke a GPG key as in to notify to the world that this key is no longer valid for future use - this is not referring to deleting a key from GitHub itself.

GitHub's own UI says:

Are you sure you want to delete this GPG key?
This action cannot be undone. This will permanently delete the GPG key, and if you’d like to use it
in the future, you will need to upload it again.

Any commits you signed with this key will become unverified after removing it.

abner-simmadhri · 2024-12-01T21:37:45Z

abner-simmadhri
Dec 1, 2024

This is still an ongoing issue with Github. Has there been any progress on this?
We should at least have the ability to remove it while keeping our history verified?

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Allow archival of GPG keys #14008

{{title}}

Replies: 4 comments 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

Allow archival of GPG keys #14008

Replies: 4 comments · 3 replies

nskobelevs Jun 9, 2023 Author

Replies: 4 comments 3 replies

nskobelevs Jun 9, 2023
Author