6

I sign my Git commits with a GPG key which I stored on an old computer. I lost this key so I created a new one to sign my commits with. It has not been compromised so I do not wish to revoke it.

However, I accidentally deleted my public key too (I use GitHub) so all my past commits now show up as unverified. Is it possible to somehow recover the public key from my past commits so I can tell GitHub to trust it again?

Zak
  • 163
  • 4
  • Did you submit your public key to a keyserver? Was there anyone else on your team verifying commits against your public key? Those are your likeliest sources to recover the public key. – Todd A. Jacobs Apr 13 '20 at 18:23
  • Unfortunately it was just GitHub verifying and I deleted the public key from there. Does this mean it's non recoverable? – Zak Apr 13 '20 at 18:25
  • 1
    You could see if GitHub support has a backup of your key, but in general it's not recoverable if you don't have a backup or access to other copies. You can regenerate a public key from the secret key, but you generally can't recover a public key from a signature, and the ability to regenerate the *private* key from any ciphertext would be a huge honkin' vulnerability. – Todd A. Jacobs Apr 13 '20 at 18:37
  • 1
    Related: https://security.stackexchange.com/q/62916/9101 – Todd A. Jacobs Apr 13 '20 at 18:40
  • 1
    There are a lot of sites that scrape GitHub. I wouldn't be surprised if one of them grabbed your public key and still has it. Try searching for copies of your public projects. – multithr3at3d Apr 13 '20 at 21:04

1 Answers1

6

Public Key Recovery Options

You have limited options:

  1. You can recover your keys from a backup of your keyrings, if you have one.
  2. You can recover public keys from a keyserver, if you or someone else uploaded your key there.
  3. You can ask other people on your project for a copy of your public key, which they would have needed to verify your commits.
  4. You can see if GitHub has a backup containing your public key, and is willing to retrieve it for you.

That's about it. If you have lost your keys, include backups and copies, then you should treat them as lost for good. Pragmatically, from a Git perspective you can:

  • Verify the Git history against a local or archived copy of the repository to ensure its authenticity, and then resign all your commits with a new key (if necessary, which it probably isn't).
  • Sign the current commit once you've validated it against your sources, and then use the new key going forward.

In Future...

Key material sufficient to recreate a public or private key can't usually be recovered just from signatures, so in future make sure you:

  1. Make regular backups.
  2. Escrow essential keys using a tool like paperkey or ssss, or some other recovery mechanism of your choice.
  3. Ensure your public key is uploaded to a reputable public keyserver and signed by others for validation.
  4. Store your public key under source control, perhaps even inside your source tree if appropriate for your project.
  5. Make sure you have revocation certificates on hand in case you lose your key.

Basically, take steps to ensure that your public key and revocation certificates are recoverable at need, and trusted by other keys besides the key itself.

Todd A. Jacobs
  • 436
  • 2
  • 8