gitsigur improvement: ability to verify ssh-signed git commits

gitsigur improvement: ability to verify ssh-signed git commits

[Frank Ch. Eigler]

Hi -

The gitsigur gadget [1], installed last year on sourceware as
/sourceware/projects/gitsigur-home/install/bin/gitsigur, and used by
some (7) sourceware git repos already, grew a new capability today.
It can now also verify/enforce ssh-signed git commits, not just
gpg-signed ones.

It integrates smoothly with our "keygitrepo" concept.  This involves
enumeration of all the public keys designated for particular
*committers* (as opposed to a global pool of keys for all committers,
as done by some Lesser systems :-).  Namely, ssh public keys that are
authorized for any are stored as "*.pub" files alongside
"*.asc"/"*.gpg" files (if any) in subdirectories named after the
committers' email addresses.

Sourceware's current little crop of keys is here:

https://sourceware.org/git/?p=keygitrepo.git;a=tree;h=refs/heads/keymaster;hb=refs/heads/keymaster

I'd be glad to add more.  I took the liberty of cc:'ing some
sourceware users who expressed interest in this or who habitually
ssh-sign their commits already.  Their keys should come into the
database pronto.

(At some point, may want to scrape public keys from the sourceware
ssh-login pub files, or from the forge experiment.)

IMO, we should look into how to get gitsigur (at least in permissive
mode) activated on some of the branches of the other repos,
incl. those that are using the adacore hooks to do some commit testing
already.  Please let me know if there's interest over in gcc /
binutils-gdb / glibc / etc. land.

BTW, this required installation of a modern ssh-keygen binary (rhel8's
is too old to support the -Y crypto operations), which is now in
/usr/local/bin on sourceware.  Its presence should not affect normal
system ssh operations.

[1] https://sourceware.org/pipermail/overseers/2023q2/019288.html

- FChE

Re: gitsigur improvement: ability to verify ssh-signed git commits

[Nick Alcock]

On 31 Oct 2024, Frank Ch. Eigler verbalised:

> The gitsigur gadget [1], installed last year on sourceware as
> /sourceware/projects/gitsigur-home/install/bin/gitsigur, and used by
> some (7) sourceware git repos already, grew a new capability today.
> It can now also verify/enforce ssh-signed git commits, not just
> gpg-signed ones.

Oh nice! I'd forgotten all about gitsigur: nice to know it's not at all
dead :)

> I'd be glad to add more.  I took the liberty of cc:'ing some
> sourceware users who expressed interest in this or who habitually
> ssh-sign their commits already.  Their keys should come into the
> database pronto.

My pubkey is currently

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnV26UlkIUz/2lMcmuN4m1bcl59x5PsvYQmFfSwKKCf/hpsh3/NdTNQcYR3GdbPNaTZ1oQ2ShLFD1adsP2jjiZ7mB1Y89/2Knqsq3WIbjx8MBfxsaBOHCDcmWb1Agb0LtZl+cQIxij4iVJl3DjbpXmoknTwIfyYtpDNpfvAN8wDiKE2HR8Q0TY5cKT01f0C4aqtLEKLEDNnr+NCMFzvNH+3KLbOSxN2+YF1rGWeRh2CxaVo5+4EbKBUmNKYEWGWPvwT7VboxKdmoZ1wg+/UyG0BezKIotKM/8TV370NO2FD3sWVc2kRF+X4VPev65z8BnMlRgAy2sqSEpSzDie9644iDfkmiR7ZlQSiLN6wwSndLgHtRiHc2SmFt9IEw8NgHP6qAqDe1leyk8MJLQf94HIyuFz1WoCzxuHJj4oBQ9Zf6sQfbgh2yRaJJY7WIgglYM98RqFaHvtd/rh4ng0LcoikpxUTE6hMe2d9EvlLzS7Xt49QF68C8EjbEg20bzp5Gc= nix@sourceware

but if you can put two keys in, this email has pushed me to generate
this new key:

sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINzXQmbnhYdjCKe5NnDpfGfEaAfj12vBAm7HN7UsZnlgAAAABHNzaDo= nix-yk2021@sourceware

which I will start to use for signing from now on simply because it's
hardware-backed. (This key is a no-touch-required key to make git
rebase non-intolerable, which means I'm not going to be using it for ssh
connections, only for signing. I wish ssh-keygen could cache the fact
that a touch had happened in the last minute or so and not require you
to just keep tapping frantically...)

This Yubikey is vulnerable to the recently announced attacks, but if
someone decaps it they have necessarily mugged me and stolen my front
door keys too and I will let you know! :)

> (At some point, may want to scrape public keys from the sourceware
> ssh-login pub files, or from the forge experiment.)

Good idea! The keys in the ssh-login pub files should probably always be
considered suitable for verification too, IMHO.

Re: gitsigur improvement: ability to verify ssh-signed git commits

[Frank Ch. Eigler]

Hi -

> > The gitsigur gadget [1], installed last year on sourceware as
> > /sourceware/projects/gitsigur-home/install/bin/gitsigur, and used by
> > some (7) sourceware git repos already, grew a new capability today.
> > It can now also verify/enforce ssh-signed git commits, not just
> > gpg-signed ones.
> 
> Oh nice! I'd forgotten all about gitsigur: nice to know it's not at all
> dead :)

Not much work ongoing on the code proper, but it's in daily use, so
not "dead".

> > I'd be glad to add more.  I took the liberty of cc:'ing some
> > sourceware users who expressed interest in this or who habitually
> > ssh-sign their commits already.  Their keys should come into the
> > database pronto.
> 
> My pubkey is currently [...]

Added both:
https://sourceware.org/git/?p=keygitrepo.git;a=commit;h=4948d71957b6687b0181af23c96e17f8d07eeb83

Which git repos do you most contribute to?  We can reach out to those
teams to get gitsigur called, in an advisory capacity, from their
adacore hook setup.

> [...]
> > (At some point, may want to scrape public keys from the sourceware
> > ssh-login pub files, or from the forge experiment.)
> 
> Good idea! The keys in the ssh-login pub files should probably always be
> considered suitable for verification too, IMHO.

Yeah, just the git-committer email address identity is not immediately
scrapeable from the /home/FOO/.ssh/authorized_keys file.  Almost no
one uses FOO@sourceware.org as the git committer.

- FChE

Re: gitsigur improvement: ability to verify ssh-signed git commits

[Nick Alcock]

On 4 Nov 2024, Frank Ch. Eigler outgrape:

> Hi -
>
>> > The gitsigur gadget [1], installed last year on sourceware as
>> > /sourceware/projects/gitsigur-home/install/bin/gitsigur, and used by
>> > some (7) sourceware git repos already, grew a new capability today.
>> > It can now also verify/enforce ssh-signed git commits, not just
>> > gpg-signed ones.
>> 
>> Oh nice! I'd forgotten all about gitsigur: nice to know it's not at all
>> dead :)
>
> Not much work ongoing on the code proper, but it's in daily use, so
> not "dead".

Good to hear! Signatures are useless without verification, and while it
is reassuring to see "good "git signature from..." in git log for me,
obviously I'm not going to run around digging up signatures from
everyone else by hand.

So actually the keygitrepo is doubly useful -- I just cloned it
specifically so I could tell git about the other public keys in it on my
local git install. Five lines of scripting to populate allowed_signers
and a gpg --import and bingo. This is a sufficiently non-awful UI that
I'm wondering if it's actually even cryptography. :)

>> > I'd be glad to add more.  I took the liberty of cc:'ing some
>> > sourceware users who expressed interest in this or who habitually
>> > ssh-sign their commits already.  Their keys should come into the
>> > database pronto.
>> 
>> My pubkey is currently [...]
>
> Added both:
> https://sourceware.org/git/?p=keygitrepo.git;a=commit;h=4948d71957b6687b0181af23c96e17f8d07eeb83

Thanks!

(btw, a few of your keys in there elicit GPG weak signature warnings,
but I guess if they're old ones and there are commits signed with them
you have no real choice.)

> Which git repos do you most contribute to?  We can reach out to those
> teams to get gitsigur called, in an advisory capacity, from their
> adacore hook setup.

It's all binutils-gdb these days. If GCC happens it's as a side-effect
of libiberty changes, etc, but that is rare.

>> [...]
>> > (At some point, may want to scrape public keys from the sourceware
>> > ssh-login pub files, or from the forge experiment.)
>> 
>> Good idea! The keys in the ssh-login pub files should probably always be
>> considered suitable for verification too, IMHO.
>
> Yeah, just the git-committer email address identity is not immediately
> scrapeable from the /home/FOO/.ssh/authorized_keys file.  Almost no
> one uses FOO@sourceware.org as the git committer.

Oh true! Dammit, the principal can't be built up automatically, can it,
and we don't really have any binding for that recorded anywhere. We rely
on "don't be awful" to stop people pushing stuff using other people's
email addresses, but that's unfortunately not something it's easy to
teach to computers.

Re: gitsigur improvement: ability to verify ssh-signed git commits

[Frank Ch. Eigler]

Hi -

On Tue, Nov 05, 2024 at 01:56:28PM +0000, Nick Alcock wrote:
> [...]
> So actually the keygitrepo is doubly useful -- I just cloned it
> specifically so I could tell git about the other public keys in it on my
> local git install. Five lines of scripting to populate allowed_signers
> and a gpg --import and bingo. This is a sufficiently non-awful UI that
> I'm wondering if it's actually even cryptography. :) [...]

A twice-removed cousin of those five lines of scripting are now also
available as "gitsigur-export", a new sibling tool.

https://sourceware.org/git/?p=gitsigur.git;a=commitdiff;h=abcaab4c601f81b90fcf1879d25807c6d8c25bae

I'll work with mjw to get a snapshot-builder going for it, so there's
a fixed place one can download all gitsigur keygitrepo exported keys from.

- FChE

Re: gitsigur improvement: ability to verify ssh-signed git commits

[Nick Alcock]

On 20 Nov 2024, Frank Ch. Eigler told this:

> Hi -
>
> On Tue, Nov 05, 2024 at 01:56:28PM +0000, Nick Alcock wrote:
>> [...]
>> So actually the keygitrepo is doubly useful -- I just cloned it
>> specifically so I could tell git about the other public keys in it on my
>> local git install. Five lines of scripting to populate allowed_signers
>> and a gpg --import and bingo. This is a sufficiently non-awful UI that
>> I'm wondering if it's actually even cryptography. :) [...]
>
> A twice-removed cousin of those five lines of scripting are now also
> available as "gitsigur-export", a new sibling tool.
> 
> https://sourceware.org/git/?p=gitsigur.git;a=commitdiff;h=abcaab4c601f81b90fcf1879d25807c6d8c25bae

Nice! and yes that really is quite removed, and much more readable.

-- 
NULL && (void)