From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184]) by sourceware.org (Postfix) with ESMTPS id 036653858423 for ; Wed, 5 Jul 2023 18:25:46 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 036653858423 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=klomp.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org Received: by gnu.wildebeest.org (Postfix, from userid 1000) id EB939304F826; Wed, 5 Jul 2023 20:25:44 +0200 (CEST) Date: Wed, 5 Jul 2023 20:25:44 +0200 From: Mark Wielaard To: Sourceware Overseers Cc: "Frank Ch. Eigler" , Ludovic =?iso-8859-1?Q?Court=E8s?= Subject: Re: gitsigur for protecting git repo integrity Message-ID: <20230705182544.GF11693@gnu.wildebeest.org> References: <20230704083245.GB11693@gnu.wildebeest.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20230704083245.GB11693@gnu.wildebeest.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=-3028.6 required=5.0 tests=BAYES_00,GB_FAKE_RF_SHORT,JMQ_SPF_NEUTRAL,KAM_DMARC_STATUS,KAM_SHORT,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi all, Collecting more fediverse replies. On Tue, Jul 04, 2023 at 10:32:45AM +0200, Mark Wielaard via Overseers wrote: > On Thu, Jun 29, 2023 at 02:55:06PM -0400, Frank Ch. Eigler via Overseers wrote: > > > I'd like to share a little gadget I've been working on recently. > > > > > > It's a prototype git server hook for allowing participating projects > > > to check and/or enforce that commits to certain branches of > > > shared-access git repos such as those on sourceware are properly > > > gpg-signed. [...] > > > > Some questions have arisen offline about the relationship of this > > script to systems such as sigstore and b4. Here's a rough comparison > > of the three. This is pretty terse point-by-point analysis. I'd be > > happy to elaborate on any aspect of it. > > > > tl;dr: Overall, it turns out to be more of a composition situation > > rather than competition. > > Very nice, this was very helpful. > > On irc we also discussed signed git pushes (which are now also enabled > on sourceware). Which provides another "layer" of integrity. > > As reply to our fosstodon post > https://fosstodon.org/@sourceware/110629743586988452 someone from the > tor project posted an overview of "Git repository integrity solutions" > they wrote up for their project: > https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab#git-repository-integrity-solutions > > It references this discussion, so now I am completing the circle :) Another reply (CCing the author): https://toot.aquilenet.fr/@civodul/110658002235937665 @sourceware To authenticate source code, the mechanism initially developed for Guix: https://doi.org/10.22152/programming-journal.org/2023/7/1 https://guix.gnu.org/manual/en/html_node/Invoking-guix-git-authenticate.html My understanding is that gitsigur checks signatures against an out-of-band list of authorized keys, which isn’t very useful because the set of authorized committers changes over time.