From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from elastic.org (elastic.org [96.126.110.187]) by sourceware.org (Postfix) with ESMTPS id 649AF3858D35 for ; Sat, 17 Jun 2023 00:03:02 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 649AF3858D35 Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none) header.from=elastic.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=elastic.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elastic.org ; s=default2; h=Content-Transfer-Encoding:Content-Type:MIME-Version: Message-ID:Subject:To:From:Date:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=gXnlY6ui45L4DJJ4Ho1M/SrldyVT2urtA/S2TQzoPo8=; b=Q2IsXQ2DpWSoryFUVZVkuzwEXw hmit0xLsduM5RjnMbovDeeD0I22zF1Wf378B0fXX3eaqm5P0oBVF0Q90hSfSb0aPfqA+zvabvfZ2c Wb8ULfIKUM8kN0C34po5J3gaHp4GgRs4FyIxlCq8IjMsBUE2pkdPxZSaGgMNlxIa3IIZbsT8xmmWN kW54/KkvMI+nyJB4KVlC74PmNSXxvan/gRWSw4xE1u5TqONczhbXKv6w0sqc152Zf7KAAZrD2pUNp wiKceZARH1jKo9QYOFbmWaG24hv6Vk4bQy+S+moxhwqn0gzshpj77WiT0OalO3V42/s5NPpmm3TXD LHl4xkQQ==; Received: from vpn-home.elastic.org ([10.0.0.2] helo=elastic.org) by elastic.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1qAJPB-0008EK-2O for overseers@sourceware.org; Sat, 17 Jun 2023 00:03:01 +0000 Received: from very.elastic.org ([192.168.1.1]) by elastic.org with esmtp (Exim 4.96) (envelope-from ) id 1qAJPB-000AXu-12 for overseers@sourceware.org; Fri, 16 Jun 2023 20:03:00 -0400 Received: from fche by very.elastic.org with local (Exim 4.96) (envelope-from ) id 1qAJPA-000xX5-2q for overseers@sourceware.org; Fri, 16 Jun 2023 20:03:00 -0400 Date: Fri, 16 Jun 2023 20:03:00 -0400 From: "Frank Ch. Eigler" To: overseers@sourceware.org Subject: gitsigur for protecting git repo integrity Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-Sender-Verification: "" X-Spam-Status: No, score=-101.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE,USER_IN_WELCOMELIST,USER_IN_WHITELIST autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi - I'd like to share a little gadget I've been working on recently. It's a prototype git server hook for allowing participating projects to check and/or enforce that commits to certain branches of shared-access git repos such as those on sourceware are properly gpg-signed. "properly" means signed with keys that are designated as valid for the particular committer, so as to further protect repos - from impersonation. Those keys are held in an auxiliary git repo. It's a small, self-contained python3 script (plus a man page), already deployed to gitsigur's own git repo (in enforcing mode!), and onto elfutils & bunsen master branches in permissive mode (so it only tests, but accepts anyway). Having a project gradually opt-in is trivial for a shell-capable project admin: - add a +x .git/hooks/update file containing something like like: #! /bin/sh set -e /sourceware/projects/gitsigur-home/install/bin/gitsigur "$1" "$2" "$3" - add a few configuration parameters to .git/config [gitsigur] keygitrepo = /sourceware/projects/gitsigur-home/keygitrepo checkref = refs/heads/master - and gradually send me/us participating folks' gpg public keys to add to the new git://sourceware.org/git/keygitrepo.git keyring That's it! If in enforcing mode, this is what a push attempt would see on an unsigned commit: remote: gitsigur checking (enforcing) against keygitrepo /git/keygitrepo.git branch keymaster remote: ⨯ commit 3a3c69aafa549aad042ed2210bae36fa7fe0ced8 not signed remote: gitsigur result: ⨯ failure remote: error: hook declined to update refs/heads/master To ssh://sourceware.org/git/gitsigur.git ! [remote rejected] master -> master (hook declined) error: failed to push some refs to 'ssh://sourceware.org/git/gitsigur.git' On the other hand, a happier outcome looks like this: remote: gitsigur checking (enforcing) against keygitrepo /sourceware/projects/gitsigur-home/keygitrepo branch keymaster remote: ✓ commit d4bad9409204c887e7786427caf0b1919fd3f09d signed by authorized key for fche@redhat.com remote: gitsigur result: ✓ success To ssh://sourceware.org/git/gitsigur.git 9fa6f36a615f..d4bad9409204 master -> master In the default permissive mode, even failure gets a trophy. >From the developer side, signing git commits with gpg is not too bad. With tools like gpg-agent mediating one's credentials, one's not stuck typing passphrases all day. https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work Future: The gadget scratches my itch already. Depending on interest etc. and time availability, one can envision some self-serve management of the repo that stores gpg public keys, maybe interoperation with public gpg key servers, maybe dabbling in web-of-trust type things. Maybe gamification so projects and people who commit signed things, thereby contributing to a secure supply chain, get rewarded with electronic tchotchkes. Maybe allow per-branch keyring configuration. Maybe toolshed some jargon? What do you think? Sauce: https://sourceware.org/git/gitsigur.git https://sourceware.org/git/keygitrepo.git Similarish: https://gitweb.gentoo.org/infra/githooks.git/tree/local/update-02-gpg [and probably a bunch of others] - FChE