From 0af44094679a674c8b70c6d4ff14c081d724d0dd Mon Sep 17 00:00:00 2001
From: Flo <g-gitlab@zeidler.ms>
Date: Tue, 31 Mar 2026 00:00:14 +0200
Subject: [PATCH] feat: add OSINT advisory about signing key reuse
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Warn users in the signing wizard that reusing the same signing key
across personal and work accounts enables cross-platform identity
correlation. Recommend separate keys per org with git includeIf.
Also added to admin recommendations section.

Closes: #12

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 git-harden.sh | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/git-harden.sh b/git-harden.sh
index 2ae25fc..d2f0e45 100755
--- a/git-harden.sh
+++ b/git-harden.sh
@@ -681,8 +681,14 @@ detect_fido2_hardware() {
 signing_wizard() {
     print_header "SSH Signing Setup Wizard"
 
+    printf '\n  %bPrivacy note:%b Your signing key is public — it appears in every signed\n' "$YELLOW" "$RESET" >&2
+    printf '  commit and on your GitHub/GitLab profile. Using the same key across\n' >&2
+    printf '  personal and work accounts links those identities (OSINT risk). If\n' >&2
+    printf '  identity separation matters, generate a dedicated key per context and\n' >&2
+    printf '  use git'\''s includeIf to configure per-org signing keys.\n' >&2
+
     if [ "$SIGNING_KEY_FOUND" = true ]; then
-        printf '  Found existing key: %s\n' "$SIGNING_PUB_PATH" >&2
+        printf '\n  Found existing key: %s\n' "$SIGNING_PUB_PATH" >&2
         if prompt_yn "Use this key for git signing?"; then
             git config --global user.signingkey "$SIGNING_PUB_PATH"
             print_info "Set user.signingkey = $SIGNING_PUB_PATH"
@@ -924,6 +930,8 @@ print_admin_recommendations() {
     printf '  • Require signed commits via branch protection (Require signed commits)\n' >&2
     printf '  • Audit deploy keys and service account access quarterly\n' >&2
     printf '  • If using hook frameworks (husky, lefthook, pre-commit), pin versions and review changes\n' >&2
+    printf '  • Use separate signing keys per org to prevent cross-platform identity correlation (OSINT)\n' >&2
+    printf '    Use git includeIf with gitdir: or hasconfig:remote.*.url: for per-org signing keys\n' >&2
     printf '\n' >&2
 }