| 1 |
This is one of several braindumps I've got, getting what are potentially |
| 2 |
very important details about the Git stuff out of my head, so that it |
| 3 |
doesn't matter if I become hit by a bus. Apologies if this mail seems a bit |
| 4 |
scrambled, per -core, my brain is rather scrambled lately. |
| 5 |
|
| 6 |
TL;DR: |
| 7 |
------ |
| 8 |
I propose: |
| 9 |
- merges are explicitly allowed, even non-fast-forwards |
| 10 |
- all commits MUST be signed |
| 11 |
- if you include a commit from a user: |
| 12 |
author := non-@gentoo |
| 13 |
committer := @gentoo |
| 14 |
signer := $committer |
| 15 |
|
| 16 |
Merging: |
| 17 |
-------- |
| 18 |
The thread I started about allowing merges, I want to explain a bit of |
| 19 |
history behind it, because it came about as a result of a change in HOW Git |
| 20 |
upstream is doing signatures for now. |
| 21 |
|
| 22 |
There are two things to record: |
| 23 |
1. who really made a commit |
| 24 |
2. who pushed the commit to the repo |
| 25 |
|
| 26 |
They don't need to be the same person. |
| 27 |
- Signed commits will prove #1 |
| 28 |
- Signed pushes will prove #2 |
| 29 |
|
| 30 |
Git upstream will ultimately support BOTH forms of signature, but for now, only |
| 31 |
signed commits are available. |
| 32 |
|
| 33 |
Good page covering Git signatures, if you don't want to read the rest of my |
| 34 |
description below, but this page is much longer, and covers some of the related |
| 35 |
features and checking in much more detail: |
| 36 |
http://mikegerwitz.com/docs/git-horror-story.html |
| 37 |
|
| 38 |
Git signed pushes: |
| 39 |
------------------ |
| 40 |
We were originally looking for a model of signing the actual push |
| 41 |
action, and having that recorded in Git. This was important as it |
| 42 |
allowed the author/committer/pusher to differ, while still being |
| 43 |
securely recorded (the signature was on the actual push action, as a |
| 44 |
certification). This is what we had at length discussions with the Git |
| 45 |
upstream about this: |
| 46 |
http://git.661346.n2.nabble.com/Signed-push-progress-td6839255.html. |
| 47 |
|
| 48 |
Git signed commits: |
| 49 |
------------------- |
| 50 |
Signed pushed were delayed in favour of more immediate work on allowing |
| 51 |
the direct signature of the contents of a commit. These had the direct |
| 52 |
advantage of always being included in the Git data directly. |
| 53 |
They were built to stack cleanly on top of the fact that the existing |
| 54 |
git repo objects were based on SHA1 hashes of other objects (see |
| 55 |
http://eagain.net/articles/git-for-computer-scientists/ |
| 56 |
for the DAG of a commit). |
| 57 |
|
| 58 |
Format of the signed Git commit |
| 59 |
------------------------------- |
| 60 |
If you look at the output of: |
| 61 |
git cat-file commit $commitid |
| 62 |
You'll see this output like this: |
| 63 |
=== |
| 64 |
tree ee314a31b622b027c10981acaed7903a3607dbd4 |
| 65 |
parent 7edca69c39a58b9d08d7145cdfa797ec27049e78 |
| 66 |
author Robin H. Johnson <robbat2@g.o> 1338710866 +0000 |
| 67 |
committer Robin H. Johnson <robbat2@g.o> 1338710866 +0000 |
| 68 |
|
| 69 |
commit message goes here. |
| 70 |
=== |
| 71 |
|
| 72 |
That's the COMPLETE commit object. |
| 73 |
|
| 74 |
It is also EXACTLY what gets signed. |
| 75 |
|
| 76 |
If you look the above output (exact same command), for a signed commit: |
| 77 |
===== |
| 78 |
tree 8a6685fdf45e426a0bce32ac18aa21da9aa8a60e |
| 79 |
parent f203a90b7ee239f8cf4df652d94120798c68f7e5 |
| 80 |
author Robin H. Johnson <robbat2@g.o> 1338710330 +0000 |
| 81 |
committer Robin H. Johnson <robbat2@g.o> 1338710330 +0000 |
| 82 |
gpgsig -----BEGIN PGP SIGNATURE----- |
| 83 |
Version: GnuPG v2.0.19 (GNU/Linux) |
| 84 |
|
| 85 |
iQIcBAABAgAGBQJPyxk6AAoJEK5yKHg3xZ9fgJAP/0mEzW0K+GKNPpaDbS+PtI8T |
| 86 |
QSVNEK0nA5PSf7F/iNjPm3YlUjovndo4LHpd8+0CRAy9HtCWMUpeXRWK7TKimwWJ |
| 87 |
4x5jsnMH6ktawsFNvNjGfuLKi+eqJJtv3J0n7KwqsCeGP5FtBZIEhRnJ2BDDQF7L |
| 88 |
mZvdSHZlqVAkzXyAWgt+7uiZcR9LvT+xuziDVHVhZZqWDWEvPLXVkphwChvqIbA9 |
| 89 |
u8kQgxawcl5p8WXUzknqUaMOf2L4eXryyTpMoXSbOSxS8Z7OADG6YV/phDD5EjV0 |
| 90 |
03bOCJzeDfV03rJWlkZa11Kjj1ni47KgROtA6ywdXGZswtgAbLNvg/c2icDJLAm6 |
| 91 |
TmuhJ0qw2FWsIllnEKfwegYtT5ei/YJhxnlVQ20JuEyhLbMun4t1Y01OOsub5DU1 |
| 92 |
vilAsItpY+1mXzhC92/16GwqHgjGstAwL5GmGz2lGBSvPc356DtGcRF4TSfs2iMH |
| 93 |
WkZytJGSYPOu5Nm3a3ws1Ific3Cwhv1sOD0PEP0PboQ4bLmWk0l+Ivw52d6J0GBL |
| 94 |
+uzhe1rGhEQfkirWNKUPsmnfyJu4DzEjdQOeQsLLjdlc+EytqCr2cBB+AAXq0EXI |
| 95 |
Rq5Fp5GkPap5H9CFJdDoc6Caq6SRcze8l9w1PZ5OutygkyfU3GzRQ7GiWVXMFm9M |
| 96 |
PgZnISs7Hcp00n4yeMJR |
| 97 |
=BR/z |
| 98 |
-----END PGP SIGNATURE----- |
| 99 |
|
| 100 |
. |
| 101 |
===== |
| 102 |
|
| 103 |
You can trivially remove the gpgsig header (the indented lines are continuations, up until the \n\n). |
| 104 |
|
| 105 |
If you want to verify a commit, you can do: |
| 106 |
# git show --show-signature $commitid |
| 107 |
|
| 108 |
Or you can use cat-file, move gpgsig header to a seperate file, removing leading whitespace and the gpgsig bit, and run this yourself: |
| 109 |
# gpg --verify commit.sig commit.no-gpgsig |
| 110 |
|
| 111 |
-- |
| 112 |
Robin Hugh Johnson |
| 113 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
| 114 |
E-Mail : robbat2@g.o |
| 115 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
Archives