From: "Frank Ch. Eigler" <fche@elastic.org>
To: overseers@sourceware.org
Subject: gitsigur for protecting git repo integrity
Date: Fri, 16 Jun 2023 20:03:00 -0400 [thread overview]
Message-ID: <ZIz4NB/AqWpSNj5d@elastic.org> (raw)
Hi -
I'd like to share a little gadget I've been working on recently.
It's a prototype git server hook for allowing participating projects
to check and/or enforce that commits to certain branches of
shared-access git repos such as those on sourceware are properly
gpg-signed. "properly" means signed with keys that are designated as
valid for the particular committer, so as to further protect repos -
from impersonation. Those keys are held in an auxiliary git repo.
It's a small, self-contained python3 script (plus a man page), already
deployed to gitsigur's own git repo (in enforcing mode!), and onto
elfutils & bunsen master branches in permissive mode (so it only
tests, but accepts anyway). Having a project gradually opt-in is
trivial for a shell-capable project admin:
- add a +x .git/hooks/update file containing something like like:
#! /bin/sh
set -e
/sourceware/projects/gitsigur-home/install/bin/gitsigur "$1" "$2" "$3"
- add a few configuration parameters to .git/config
[gitsigur]
keygitrepo = /sourceware/projects/gitsigur-home/keygitrepo
checkref = refs/heads/master
- and gradually send me/us participating folks' gpg public keys to
add to the new git://sourceware.org/git/keygitrepo.git keyring
That's it! If in enforcing mode, this is what a push attempt would
see on an unsigned commit:
remote: gitsigur checking (enforcing) against keygitrepo /git/keygitrepo.git branch keymaster
remote: ⨯ commit 3a3c69aafa549aad042ed2210bae36fa7fe0ced8 not signed
remote: gitsigur result: ⨯ failure
remote: error: hook declined to update refs/heads/master
To ssh://sourceware.org/git/gitsigur.git
! [remote rejected] master -> master (hook declined)
error: failed to push some refs to 'ssh://sourceware.org/git/gitsigur.git'
On the other hand, a happier outcome looks like this:
remote: gitsigur checking (enforcing) against keygitrepo /sourceware/projects/gitsigur-home/keygitrepo branch keymaster
remote: ✓ commit d4bad9409204c887e7786427caf0b1919fd3f09d signed by authorized key for fche@redhat.com
remote: gitsigur result: ✓ success
To ssh://sourceware.org/git/gitsigur.git
9fa6f36a615f..d4bad9409204 master -> master
In the default permissive mode, even failure gets a trophy.
From the developer side, signing git commits with gpg is not too bad.
With tools like gpg-agent mediating one's credentials, one's not stuck
typing passphrases all day.
https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
Future:
The gadget scratches my itch already.
Depending on interest etc. and time availability, one can envision
some self-serve management of the repo that stores gpg public keys,
maybe interoperation with public gpg key servers, maybe dabbling in
web-of-trust type things. Maybe gamification so projects and people
who commit signed things, thereby contributing to a secure supply
chain, get rewarded with electronic tchotchkes. Maybe allow
per-branch keyring configuration. Maybe toolshed some jargon? What
do you think?
Sauce:
https://sourceware.org/git/gitsigur.git
https://sourceware.org/git/keygitrepo.git
Similarish:
https://gitweb.gentoo.org/infra/githooks.git/tree/local/update-02-gpg
[and probably a bunch of others]
- FChE
next reply other threads:[~2023-06-17 0:03 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-17 0:03 Frank Ch. Eigler [this message]
2023-06-18 23:03 ` Mark Wielaard
2023-06-19 20:20 ` Frank Ch. Eigler
2023-06-29 18:55 ` Frank Ch. Eigler
2023-07-04 8:32 ` Mark Wielaard
2023-07-05 18:25 ` Mark Wielaard
2023-07-05 20:01 ` Frank Ch. Eigler
2023-07-10 21:35 ` Ludovic Courtès
2023-07-10 22:05 ` Frank Ch. Eigler
2023-07-14 13:18 ` Ludovic Courtès
2023-07-14 14:00 ` Frank Ch. Eigler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZIz4NB/AqWpSNj5d@elastic.org \
--to=fche@elastic.org \
--cc=overseers@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).