Support signing Git commits with Teleport-issued SSH user certificates

[webvictim]

What would you like Teleport to do?

Add support for signing Git commits using SSH certificates issued by Teleport's user CA (or alternatively, maybe use another internally-managed Teleport CA which can be rotated independently of others)

What problem does this solve?

GPG signatures are the current standard for signing commits, but distributing GPG trust can be hard without signing parties. Verifiably asserting that the author of a given commit was in possession of an SSH certificate issued by a trusted Teleport CA provides a better way to bootstrap this trust.

If a workaround exists, please include it.

This may be supported already, in which case this issue is related to testing the workflow end to end and creating documentation for users and cluster admins on how to do it reliably.

References

https://sayr.us/git/ssh-sign-ca https://agwa.name/blog/post/ssh_signatures https://github.com/git/git/pull/1041

[gclawes]

S/MIME signing with X.509 certificates is also widely supported now: https://docs.gitlab.com/ee/user/project/repository/signed_commits/x509.html https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification https://github.com/github/smimesign

[gclawes]

https://docs.gitlab.com/ee/user/project/repository/signed_commits/x509.html

Reading the GitLab documentation, it looks like they validate a user's email as an email subjectAlternativeName field.

https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification

I can't find any mention of that behavior in GitHub's documentation, it looks like github.com is focused only validating certs issued by CAs in Debian ca-certificates.