Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: "Robin H. Johnson" <robbat2@g.o>
Subject: Git braindump: 1 of N: merging & git signing
Date: Sun, 3 Jun 2012 08:18:24 +0000
This is one of several braindumps I've got, getting what are potentially
very important details about the Git stuff out of my head, so that it
doesn't matter if I become hit by a bus. Apologies if this mail seems a bit
scrambled, per -core, my brain is rather scrambled lately.

TL;DR:
------
I propose:
- merges are explicitly allowed, even non-fast-forwards
- all commits MUST be signed
- if you include a commit from a user:
  author := non-@gentoo
  committer := @gentoo
  signer := $committer

Merging:
--------
The thread I started about allowing merges, I want to explain a bit of
history behind it, because it came about as a result of a change in HOW Git
upstream is doing signatures for now.

There are two things to record:
1. who really made a commit
2. who pushed the commit to the repo

They don't need to be the same person.
- Signed commits will prove #1
- Signed pushes will prove #2

Git upstream will ultimately support BOTH forms of signature, but for now, only
signed commits are available.

Good page covering Git signatures, if you don't want to read the rest of my
description below, but this page is much longer, and covers some of the related
features and checking in much more detail:
http://mikegerwitz.com/docs/git-horror-story.html

Git signed pushes:
------------------
We were originally looking for a model of signing the actual push
action, and having that recorded in Git. This was important as it
allowed the author/committer/pusher to differ, while still being
securely recorded (the signature was on the actual push action, as a
certification). This is what we had at length discussions with the Git
upstream about this:
http://git.661346.n2.nabble.com/Signed-push-progress-td6839255.html.

Git signed commits:
-------------------
Signed pushed were delayed in favour of more immediate work on allowing
the direct signature of the contents of a commit. These had the direct
advantage of always being included in the Git data directly.
They were built to stack cleanly on top of the fact that the existing
git repo objects were based on SHA1 hashes of other objects (see
http://eagain.net/articles/git-for-computer-scientists/
for the DAG of a commit).

Format of the signed Git commit 
-------------------------------
If you look at the output of:
git cat-file commit $commitid
You'll see this output like this:
===
tree ee314a31b622b027c10981acaed7903a3607dbd4
parent 7edca69c39a58b9d08d7145cdfa797ec27049e78
author Robin H. Johnson <robbat2@g.o> 1338710866 +0000
committer Robin H. Johnson <robbat2@g.o> 1338710866 +0000

commit message goes here.
===

That's the COMPLETE commit object.

It is also EXACTLY what gets signed.

If you look the above output (exact same command), for a signed commit:
=====
tree 8a6685fdf45e426a0bce32ac18aa21da9aa8a60e
parent f203a90b7ee239f8cf4df652d94120798c68f7e5
author Robin H. Johnson <robbat2@g.o> 1338710330 +0000
committer Robin H. Johnson <robbat2@g.o> 1338710330 +0000
gpgsig -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iQIcBAABAgAGBQJPyxk6AAoJEK5yKHg3xZ9fgJAP/0mEzW0K+GKNPpaDbS+PtI8T
 QSVNEK0nA5PSf7F/iNjPm3YlUjovndo4LHpd8+0CRAy9HtCWMUpeXRWK7TKimwWJ
 4x5jsnMH6ktawsFNvNjGfuLKi+eqJJtv3J0n7KwqsCeGP5FtBZIEhRnJ2BDDQF7L
 mZvdSHZlqVAkzXyAWgt+7uiZcR9LvT+xuziDVHVhZZqWDWEvPLXVkphwChvqIbA9
 u8kQgxawcl5p8WXUzknqUaMOf2L4eXryyTpMoXSbOSxS8Z7OADG6YV/phDD5EjV0
 03bOCJzeDfV03rJWlkZa11Kjj1ni47KgROtA6ywdXGZswtgAbLNvg/c2icDJLAm6
 TmuhJ0qw2FWsIllnEKfwegYtT5ei/YJhxnlVQ20JuEyhLbMun4t1Y01OOsub5DU1
 vilAsItpY+1mXzhC92/16GwqHgjGstAwL5GmGz2lGBSvPc356DtGcRF4TSfs2iMH
 WkZytJGSYPOu5Nm3a3ws1Ific3Cwhv1sOD0PEP0PboQ4bLmWk0l+Ivw52d6J0GBL
 +uzhe1rGhEQfkirWNKUPsmnfyJu4DzEjdQOeQsLLjdlc+EytqCr2cBB+AAXq0EXI
 Rq5Fp5GkPap5H9CFJdDoc6Caq6SRcze8l9w1PZ5OutygkyfU3GzRQ7GiWVXMFm9M
 PgZnISs7Hcp00n4yeMJR
 =BR/z
 -----END PGP SIGNATURE-----

.
=====

You can trivially remove the gpgsig header (the indented lines are continuations, up until the \n\n).

If you want to verify a commit, you can do:
# git show --show-signature $commitid

Or you can use cat-file, move gpgsig header to a seperate file, removing leading whitespace and the gpgsig bit, and run this yourself:
# gpg --verify commit.sig commit.no-gpgsig

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@g.o
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
Attachment:
signature.asc (Digital signature)
Replies:
Re: Git braindump: 1 of N: merging & git signing
-- Andreas K. Huettel
Re: Git braindump: 1 of N: merging & git signing
-- Markos Chandras
Re: Git braindump: 1 of N: merging & git signing
-- Duncan
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
metadata/md5-cache
Next by thread:
Re: Git braindump: 1 of N: merging & git signing
Previous by date:
Re: multiprocessing.eclass: doing parallel work in bash
Next by date:
Re: metadata/md5-cache


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.