public inbox for
 help / color / mirror / Atom feed
From: "Frank Ch. Eigler" <>
Subject: gitsigur for protecting git repo integrity
Date: Fri, 16 Jun 2023 20:03:00 -0400	[thread overview]
Message-ID: <ZIz4NB/> (raw)

Hi -

I'd like to share a little gadget I've been working on recently.

It's a prototype git server hook for allowing participating projects
to check and/or enforce that commits to certain branches of
shared-access git repos such as those on sourceware are properly
gpg-signed.  "properly" means signed with keys that are designated as
valid for the particular committer, so as to further protect repos -
from impersonation.  Those keys are held in an auxiliary git repo.

It's a small, self-contained python3 script (plus a man page), already
deployed to gitsigur's own git repo (in enforcing mode!), and onto
elfutils & bunsen master branches in permissive mode (so it only
tests, but accepts anyway).  Having a project gradually opt-in is
trivial for a shell-capable project admin:

 - add a +x .git/hooks/update file containing something like like:

   #! /bin/sh
   set -e
   /sourceware/projects/gitsigur-home/install/bin/gitsigur "$1" "$2" "$3"

 - add a few configuration parameters to .git/config
       keygitrepo = /sourceware/projects/gitsigur-home/keygitrepo
       checkref = refs/heads/master

 - and gradually send me/us participating folks' gpg public keys to
   add to the new git:// keyring

That's it!  If in enforcing mode, this is what a push attempt would
see on an unsigned commit:

remote: gitsigur checking (enforcing) against keygitrepo /git/keygitrepo.git branch keymaster
remote: ⨯ commit 3a3c69aafa549aad042ed2210bae36fa7fe0ced8 not signed
remote: gitsigur result: ⨯ failure
remote: error: hook declined to update refs/heads/master
To ssh://
 ! [remote rejected]           master -> master (hook declined)
  error: failed to push some refs to 'ssh://'
On the other hand, a happier outcome looks like this:

remote: gitsigur checking (enforcing) against keygitrepo /sourceware/projects/gitsigur-home/keygitrepo branch keymaster
remote: ✓ commit d4bad9409204c887e7786427caf0b1919fd3f09d signed by authorized key for
remote: gitsigur result: ✓ success
To ssh://
   9fa6f36a615f..d4bad9409204  master -> master

In the default permissive mode, even failure gets a trophy.

From the developer side, signing git commits with gpg is not too bad.
With tools like gpg-agent mediating one's credentials, one's not stuck
typing passphrases all day.


The gadget scratches my itch already.

Depending on interest etc. and time availability, one can envision
some self-serve management of the repo that stores gpg public keys,
maybe interoperation with public gpg key servers, maybe dabbling in
web-of-trust type things.  Maybe gamification so projects and people
who commit signed things, thereby contributing to a secure supply
chain, get rewarded with electronic tchotchkes.  Maybe allow
per-branch keyring configuration.  Maybe toolshed some jargon?  What
do you think?


[and probably a bunch of others]

- FChE

             reply	other threads:[~2023-06-17  0:03 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-17  0:03 Frank Ch. Eigler [this message]
2023-06-18 23:03 ` Mark Wielaard
2023-06-19 20:20   ` Frank Ch. Eigler
2023-06-29 18:55 ` Frank Ch. Eigler
2023-07-04  8:32   ` Mark Wielaard
2023-07-05 18:25     ` Mark Wielaard
2023-07-05 20:01       ` Frank Ch. Eigler
2023-07-10 21:35         ` Ludovic Courtès
2023-07-10 22:05           ` Frank Ch. Eigler
2023-07-14 13:18             ` Ludovic Courtès
2023-07-14 14:00               ` Frank Ch. Eigler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZIz4NB/ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).