SSH certificates and git signing
Summary
Matthew Garrett explains how SSH certificates can be used to sign git commits, replacing OpenPGP where appropriate. The post covers configuring OpenSSH certificates, validating signatures, and the practical limits of current tooling, including CI integration and a hardware-backed key approach using TPM/Secure Enclave. It also discusses attestation concepts and a path toward stronger supply-chain trust.