{"id":15148646,"url":"https://github.com/sug0/git-signify","last_synced_at":"2025-05-07T08:40:53.517Z","repository":{"id":182447142,"uuid":"668511051","full_name":"sug0/git-signify","owner":"sug0","description":"Harness the power of signify(1) to sign arbitrary git objects","archived":false,"fork":false,"pushed_at":"2024-12-29T20:03:45.000Z","size":81,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-12-29T20:19:02.362Z","etag":null,"topics":["cryptography","git","openbsd","rust","security","signature","signify"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sug0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-07-20T01:51:42.000Z","updated_at":"2024-12-29T20:03:45.000Z","dependencies_parsed_at":null,"dependency_job_id":"62e1fc15-e085-4783-af9b-96c50b348e01","html_url":"https://github.com/sug0/git-signify","commit_stats":{"total_commits":40,"total_committers":1,"mean_commits":40.0,"dds":0.0,"last_synced_commit":"607a392ffe8eefea304c247b3c916c68b776d1dd"},"previous_names":["sug0/git-signify"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sug0%2Fgit-signify","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sug0%2Fgit-signify/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sug0%2Fgit-signify/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sug0%2Fgit-signify/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sug0","download_url":"https://codeload.github.com/sug0/git-signify/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237986881,"owners_count":19397810,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","git","openbsd","rust","security","signature","signify"],"created_at":"2024-09-26T13:21:24.713Z","updated_at":"2025-02-09T17:20:33.053Z","avatar_url":"https://github.com/sug0.png","language":"Rust","readme":"# git-signify\n\nA tool to sign arbitrary objects in a git repository.\n\n## Generating keys\n\nSigning keys can be generated with [`signify`], from the OpenBSD project.\n\n```\n$ signify -G -p newkey.pub -s newkey.sec\n```\n\nIf you do not wish to encrypt your keys, pass the `-n` flag to the\ncommand line of `signify`.\n\nAlternatively, [`minisign`] keys may also be used. This project provides\na more portable alternative to [`signify`].\n\n```\n$ minisign -G -p newkey.pub -s newkey.sec\n```\n\n`git-signify` always assumes that [`minisign`] keys are encrypted,\nalbeit the CLI tool allows generating non-encrypted keys.\n\n[`signify`]: https://man.openbsd.org/signify.1\n[`minisign`]: https://github.com/jedisct1/minisign\n\n## Basic usage\n\nThis program keeps track of signatures made by a keypair with a given\nfingerprint as git references. References can be fetched from and\npushed to a remote.\n\n```\n$ git signify pull origin\n$ git signify push origin\n```\n\nVerification can be done with `git signify verify`. For example, to\nverify a release of `git-signify` itself:\n\n```\n$ git pull --tags\n$ git signify pull\n$ git signify verify -k \u003c(curl -sfL https://gandas.us.to/keys/git.pub) v0.7.0\n$ git signify verify -k \u003c(curl -sfL https://gandas.us.to/keys/git_minisign.pub) v0.7.0\n```\n\nTo sign git revisions, run something akin to:\n\n```\n$ git signify sign -k \u003csecret-key\u003e v0.7.0\n```\n\n## In-depth\n\n### Brief overview of how this program works\n\n`git-signify` writes a tree object to some git repository containing the\nfollowing blobs:\n\n```\n100644 blob aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\talgorithm\n100644 blob bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\tsignature\n100644 blob cccccccccccccccccccccccccccccccccccccccc\tversion\n```\n\nAnother git object `object` may be present in the tree, if a signature\nover a blob or another tree is being made. This `object` is a pointer\nto the respective git object being signed over. On the other hand,\n`signature` contains the base64 encoded `signify` or `minisign` signature\nover the raw (20 byte) id of `object`. The remaining blobs, `version` and\n`algorithm`, represent the current version of the `git-signify` tree format\nand the algorithm (`minisign` or `signify`) being used, respectively.\n\nThe tree is then committed along with a potential parent, which is the commit\nhash being signed over, if any. The resulting commit's hash is returned by\n`git signify raw sign`.\n\nSignatures end up in `refs/signify/signatures/${key_fingerprint}/${sig_hash}`,\nwhere `$key_fingerprint` can be computed by `git signify fingerprint`, and\n`$sig_hash` is a hash returned by `git signify raw sign`.\n\n### Why, we have GnuPG\n\nGPG sucks.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsug0%2Fgit-signify","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsug0%2Fgit-signify","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsug0%2Fgit-signify/lists"}