ssh authorized keys are currently not checked into git. It should be possible to store them on the setup branch next to the ikiwiki setup file. This would allow changing ssh keys in a git push.

The existing code for ikisite checksetup that checks pushes of the setup branch to ensure that they come from a trusted user, and contain only safe changes, would need to be extended to also check ssh keys. Things to check:

• The keys are all well-formed.
• There's no ssh options tied to a key that could run commands, open ports, etc.
• There's at least 1 key if there was 1 before (so users don't lock themselves out accidentially).
• That the authorized keys file did not turn into a symlink or other special file, and was not removed, and has sane permissions.

Question: Is exposing the authorized keys of every Branchable site in their setup branches desirable? Or is this something the site owner needs to opt in to?

I've always wondered about how secret we should generally consider public keys. If I make the parallel with my GPG keyring, then the answer is "not at all". Also, these days, my SSH keys are in my GPG keyring, so basically they are already public on the keyservers, although you need to look for them. This could even be considered a feature:

my SSH key is also available on that git repository over there, if you want to double-check the one I sent in that email

... could be a useful thing. However, I could understand how paranoid users may want to do things differently, so being able to opt out of that could be important for some users.

If this makes things more complicated: don't bother, and deal with it when people complain. -- anarcat

So, it turns out the public keys are already checked into the setup branch. So only a validator is needed. --Joey