1. 4

This repo includes extensions and workflow examples for being able to attach an arbitrary number of GPG signatures to a given commit or tag.

Git already supports commit signing. These tools are intended to compliment that support by allowing a code reviewer and/or release engineer attach their signatures as well.

A CI or build system that enforces m-of-n signature verification on git tags to be released offers strong protection against tampering of the repository by a single bad actor or compromised system.

This approach builds entirely on the git-notes interface which allows the attachment of arbitrary data to an existing commit.

  1.  

  2. 3

    It’s worth reminding everyone that PGP keys have expiration times and can be revoked. So if you put PGP signatures into Git, it is possible that signature verification works today but not tomorrow. (GPG and other tools will refuse to verify signatures if they belong to expired or revoked keys.) http://karl.kornel.us/2017/10/welp-there-go-my-git-signatures/ goes into more detail on the problem and http://mikegerwitz.com/papers/git-horror-story is always a terrific read. In my opinion, this is a very nasty limitation and therefore using PGP for signatures in a VCS is extremely brittle and should be done with extreme care.

    In order to solve this general problem of not being able to validate signatures in the future, the VCS needs to manage keys for you (so you always have access to the key). And you probably don’t want to use PGP because tools enforce expiration and revocation. Key management is of course a hard problem and increases the complexity of the VCS. For what it’s worth, the Monotone VCS has built-in support for managing certificates (which are backed by RSA keys). See https://www.monotone.ca/docs/Certificates.html. https://www.mercurial-scm.org/wiki/CommitSigningPlan captures a lot of context about this general problem.

    1. 1

      Those examples of manual signing and verification renewed my amazement in the fact that we’ve all come to accept the ridiculous incantations git asks us to memorize to achieve basic tasks.

      1. 4

        But once you memorize the steps, you can do something other people can’t, which makes you better than them.

        1. 1

          I don’t know if this is sarcasm or not, but if not, I can’t agree with it. Knowing a bunch of git obscure commands and how to chain them together doesn’t make me better than others in majority of tha cases. It might actually made me worse, because I chose the wrong tool for the task.

          1. 1

            It was definitely sarcasm on @tedu‘s part