public inbox for
 help / color / mirror / Atom feed
* gitsigur for protecting git repo integrity
@ 2023-06-17  0:03 Frank Ch. Eigler
  2023-06-18 23:03 ` Mark Wielaard
  2023-06-29 18:55 ` Frank Ch. Eigler
  0 siblings, 2 replies; 11+ messages in thread
From: Frank Ch. Eigler @ 2023-06-17  0:03 UTC (permalink / raw)
  To: overseers

Hi -

I'd like to share a little gadget I've been working on recently.

It's a prototype git server hook for allowing participating projects
to check and/or enforce that commits to certain branches of
shared-access git repos such as those on sourceware are properly
gpg-signed.  "properly" means signed with keys that are designated as
valid for the particular committer, so as to further protect repos -
from impersonation.  Those keys are held in an auxiliary git repo.

It's a small, self-contained python3 script (plus a man page), already
deployed to gitsigur's own git repo (in enforcing mode!), and onto
elfutils & bunsen master branches in permissive mode (so it only
tests, but accepts anyway).  Having a project gradually opt-in is
trivial for a shell-capable project admin:

 - add a +x .git/hooks/update file containing something like like:

   #! /bin/sh
   set -e
   /sourceware/projects/gitsigur-home/install/bin/gitsigur "$1" "$2" "$3"

 - add a few configuration parameters to .git/config
       keygitrepo = /sourceware/projects/gitsigur-home/keygitrepo
       checkref = refs/heads/master

 - and gradually send me/us participating folks' gpg public keys to
   add to the new git:// keyring

That's it!  If in enforcing mode, this is what a push attempt would
see on an unsigned commit:

remote: gitsigur checking (enforcing) against keygitrepo /git/keygitrepo.git branch keymaster
remote: ⨯ commit 3a3c69aafa549aad042ed2210bae36fa7fe0ced8 not signed
remote: gitsigur result: ⨯ failure
remote: error: hook declined to update refs/heads/master
To ssh://
 ! [remote rejected]           master -> master (hook declined)
  error: failed to push some refs to 'ssh://'
On the other hand, a happier outcome looks like this:

remote: gitsigur checking (enforcing) against keygitrepo /sourceware/projects/gitsigur-home/keygitrepo branch keymaster
remote: ✓ commit d4bad9409204c887e7786427caf0b1919fd3f09d signed by authorized key for
remote: gitsigur result: ✓ success
To ssh://
   9fa6f36a615f..d4bad9409204  master -> master

In the default permissive mode, even failure gets a trophy.

From the developer side, signing git commits with gpg is not too bad.
With tools like gpg-agent mediating one's credentials, one's not stuck
typing passphrases all day.


The gadget scratches my itch already.

Depending on interest etc. and time availability, one can envision
some self-serve management of the repo that stores gpg public keys,
maybe interoperation with public gpg key servers, maybe dabbling in
web-of-trust type things.  Maybe gamification so projects and people
who commit signed things, thereby contributing to a secure supply
chain, get rewarded with electronic tchotchkes.  Maybe allow
per-branch keyring configuration.  Maybe toolshed some jargon?  What
do you think?


[and probably a bunch of others]

- FChE

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2023-07-14 14:00 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-17  0:03 gitsigur for protecting git repo integrity Frank Ch. Eigler
2023-06-18 23:03 ` Mark Wielaard
2023-06-19 20:20   ` Frank Ch. Eigler
2023-06-29 18:55 ` Frank Ch. Eigler
2023-07-04  8:32   ` Mark Wielaard
2023-07-05 18:25     ` Mark Wielaard
2023-07-05 20:01       ` Frank Ch. Eigler
2023-07-10 21:35         ` Ludovic Courtès
2023-07-10 22:05           ` Frank Ch. Eigler
2023-07-14 13:18             ` Ludovic Courtès
2023-07-14 14:00               ` Frank Ch. Eigler

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).