Aren't commits from creation to revokation still supposed to be valid? Commits from after the revokation should obviously be invalid.
I cannot have a public key without revokation certificate available there as it's possible to export it from the API and thus miss the fact that it's revoked.
#Gitea seems to handle this correctly.
I think that Githubs logic is correct because hypotheticaly attacker who got your signing keys could also commit, and Github does not know for how long has been attacker doing those commits (maybe dev has been on vacation, lost access to his/her keys etc) so Github has no choice but to revoke all commits for sake of end user.
@nikolal I see your point, but I don't entirely agree.
Keeping both scenarios in mind, I think something like showing the commit in yellow with text like "revoked" as currently it turns everything as gray saying "unverified" which on click explains "Upload your public GPG key to verify your signature.", lists the key id and a link to the help page.
I think this could lead an end user contacting me asking if I have forgotten to upload my GPG key or be more confused upon seeing some commits.
@nikolal for example here is my current commit history for mikaela.github.io, on top are some commits from my newest key, then some from the old key (I forgot to update .gitconfig) and then some from my work-try-out-practice.
I guess I can try taking a previous snapshop of the public key without revokation and feed it to GitHub for having all green as GitHub only cares about that, but then there is a risk of someone exporting the key from GitHub believing it to be valid.
Yes, this does make sence
> Aren’t commits from creation to revokation still supposed to be valid?
There is a tiny issue with this — if you revoked your key because the private key has been compromised then the attacker can backdate any signature (see gpg --faked-system-time).
Of course if Github wanted they could provide better UI — for example remembering when then saw the signature first (if it’s before revocation time then it’s good). At the end of the day OpenPGP just lacks proper secure timestamping features and that makes all dates suspect.
GnuPG UI just issues a bunch of WARNINGs: https://www.reddit.com/r/GnuPG/comments/9qhbs0/subkey_expiry_and_issued_signatures_validity/e8ckzs0/