1 |
This is one of several braindumps I've got, getting what are potentially |
2 |
very important details about the Git stuff out of my head, so that it |
3 |
doesn't matter if I become hit by a bus. Apologies if this mail seems a bit |
4 |
scrambled, per -core, my brain is rather scrambled lately. |
5 |
|
6 |
TL;DR: |
7 |
------ |
8 |
I propose: |
9 |
- merges are explicitly allowed, even non-fast-forwards |
10 |
- all commits MUST be signed |
11 |
- if you include a commit from a user: |
12 |
author := non-@gentoo |
13 |
committer := @gentoo |
14 |
signer := $committer |
15 |
|
16 |
Merging: |
17 |
-------- |
18 |
The thread I started about allowing merges, I want to explain a bit of |
19 |
history behind it, because it came about as a result of a change in HOW Git |
20 |
upstream is doing signatures for now. |
21 |
|
22 |
There are two things to record: |
23 |
1. who really made a commit |
24 |
2. who pushed the commit to the repo |
25 |
|
26 |
They don't need to be the same person. |
27 |
- Signed commits will prove #1 |
28 |
- Signed pushes will prove #2 |
29 |
|
30 |
Git upstream will ultimately support BOTH forms of signature, but for now, only |
31 |
signed commits are available. |
32 |
|
33 |
Good page covering Git signatures, if you don't want to read the rest of my |
34 |
description below, but this page is much longer, and covers some of the related |
35 |
features and checking in much more detail: |
36 |
http://mikegerwitz.com/docs/git-horror-story.html |
37 |
|
38 |
Git signed pushes: |
39 |
------------------ |
40 |
We were originally looking for a model of signing the actual push |
41 |
action, and having that recorded in Git. This was important as it |
42 |
allowed the author/committer/pusher to differ, while still being |
43 |
securely recorded (the signature was on the actual push action, as a |
44 |
certification). This is what we had at length discussions with the Git |
45 |
upstream about this: |
46 |
http://git.661346.n2.nabble.com/Signed-push-progress-td6839255.html. |
47 |
|
48 |
Git signed commits: |
49 |
------------------- |
50 |
Signed pushed were delayed in favour of more immediate work on allowing |
51 |
the direct signature of the contents of a commit. These had the direct |
52 |
advantage of always being included in the Git data directly. |
53 |
They were built to stack cleanly on top of the fact that the existing |
54 |
git repo objects were based on SHA1 hashes of other objects (see |
55 |
http://eagain.net/articles/git-for-computer-scientists/ |
56 |
for the DAG of a commit). |
57 |
|
58 |
Format of the signed Git commit |
59 |
------------------------------- |
60 |
If you look at the output of: |
61 |
git cat-file commit $commitid |
62 |
You'll see this output like this: |
63 |
=== |
64 |
tree ee314a31b622b027c10981acaed7903a3607dbd4 |
65 |
parent 7edca69c39a58b9d08d7145cdfa797ec27049e78 |
66 |
author Robin H. Johnson <robbat2@g.o> 1338710866 +0000 |
67 |
committer Robin H. Johnson <robbat2@g.o> 1338710866 +0000 |
68 |
|
69 |
commit message goes here. |
70 |
=== |
71 |
|
72 |
That's the COMPLETE commit object. |
73 |
|
74 |
It is also EXACTLY what gets signed. |
75 |
|
76 |
If you look the above output (exact same command), for a signed commit: |
77 |
===== |
78 |
tree 8a6685fdf45e426a0bce32ac18aa21da9aa8a60e |
79 |
parent f203a90b7ee239f8cf4df652d94120798c68f7e5 |
80 |
author Robin H. Johnson <robbat2@g.o> 1338710330 +0000 |
81 |
committer Robin H. Johnson <robbat2@g.o> 1338710330 +0000 |
82 |
gpgsig -----BEGIN PGP SIGNATURE----- |
83 |
Version: GnuPG v2.0.19 (GNU/Linux) |
84 |
|
85 |
iQIcBAABAgAGBQJPyxk6AAoJEK5yKHg3xZ9fgJAP/0mEzW0K+GKNPpaDbS+PtI8T |
86 |
QSVNEK0nA5PSf7F/iNjPm3YlUjovndo4LHpd8+0CRAy9HtCWMUpeXRWK7TKimwWJ |
87 |
4x5jsnMH6ktawsFNvNjGfuLKi+eqJJtv3J0n7KwqsCeGP5FtBZIEhRnJ2BDDQF7L |
88 |
mZvdSHZlqVAkzXyAWgt+7uiZcR9LvT+xuziDVHVhZZqWDWEvPLXVkphwChvqIbA9 |
89 |
u8kQgxawcl5p8WXUzknqUaMOf2L4eXryyTpMoXSbOSxS8Z7OADG6YV/phDD5EjV0 |
90 |
03bOCJzeDfV03rJWlkZa11Kjj1ni47KgROtA6ywdXGZswtgAbLNvg/c2icDJLAm6 |
91 |
TmuhJ0qw2FWsIllnEKfwegYtT5ei/YJhxnlVQ20JuEyhLbMun4t1Y01OOsub5DU1 |
92 |
vilAsItpY+1mXzhC92/16GwqHgjGstAwL5GmGz2lGBSvPc356DtGcRF4TSfs2iMH |
93 |
WkZytJGSYPOu5Nm3a3ws1Ific3Cwhv1sOD0PEP0PboQ4bLmWk0l+Ivw52d6J0GBL |
94 |
+uzhe1rGhEQfkirWNKUPsmnfyJu4DzEjdQOeQsLLjdlc+EytqCr2cBB+AAXq0EXI |
95 |
Rq5Fp5GkPap5H9CFJdDoc6Caq6SRcze8l9w1PZ5OutygkyfU3GzRQ7GiWVXMFm9M |
96 |
PgZnISs7Hcp00n4yeMJR |
97 |
=BR/z |
98 |
-----END PGP SIGNATURE----- |
99 |
|
100 |
. |
101 |
===== |
102 |
|
103 |
You can trivially remove the gpgsig header (the indented lines are continuations, up until the \n\n). |
104 |
|
105 |
If you want to verify a commit, you can do: |
106 |
# git show --show-signature $commitid |
107 |
|
108 |
Or you can use cat-file, move gpgsig header to a seperate file, removing leading whitespace and the gpgsig bit, and run this yourself: |
109 |
# gpg --verify commit.sig commit.no-gpgsig |
110 |
|
111 |
-- |
112 |
Robin Hugh Johnson |
113 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
114 |
E-Mail : robbat2@g.o |
115 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |