Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/hashbang/git-signatures

Git extensions for m-of-n signing and verification on commits/tags.
https://github.com/hashbang/git-signatures

Last synced: about 2 months ago
JSON representation

Git extensions for m-of-n signing and verification on commits/tags.

Awesome Lists containing this project

README 

        
# Git Signatures #



**Note:** This repository has been archived and superceded by `sig`, which is

eventually being superceded by a new project. You can read more details

[here](https://gist.github.com/lrvick/d4b87c600cc074dfcd00a01ee6275420).



This repo includes extensions and workflow examples for being able to attach

an arbitrary number of GPG signatures to a given commit or tag.



Git already supports commit signing. These tools are intended to compliment

that support by allowing a code reviewer and/or release engineer attach

their signatures as well.



A CI or build system that enforces m-of-n signature verification on git tags

to be released offers strong protection against tampering of the repository

by a single bad actor or compromised system.



This approach builds entirely on the git-notes interface which allows the

attachment of arbitrary data to an existing commit.



## Requirements ##



  * Git 2.1+

  * GnuPG 2.2+



### Mac OS X ###



Since the built in getopt and date binaries are not compatible with this script, you must install some GNU compatible binaries (homebrew recommended).



  * gnu-getopt

    * `brew install gnu-getopt`

    * `ln -s $(brew --prefix gnu-getopt)/bin/getopt /usr/local/bin/gnu-getopt`

  * coreutils

    * `brew install coreutils`



Make sure that the `gnu-getopt`, `gdate`, and `gshuf` binaries are in your $PATH.



## Install ##



You need only place bin/git-signatures anywhere in your $PATH.



By default you can install it to $HOME/.local/bin with:



```

make install

```



## Usage ##



### Pull and merge signatures from origin



```

git signatures pull

```



### Sign a tag



```

git signatures add v1.0.0

```



### Push new signatures to origin



```

git signatures push

```



### Pull/merge/sign/push against origin as single step



```

git signatures add --push v1.0.0

```



### Verify signatures



Will return the public key IDs of verified signers:



```

git signatures verify v1.0.0

```



### Verify m-of-n signatures



Verify m-of-n requirement met against default gpg trustdb.

Will return 0 only if conditions met.



```

git signatures verify --min-count 2 v1.0.0

```



### Verify against m-of-n signatures from multiple GPG trustdbs



```

git signatures verify --trustdb dev-team.db --min-count 2 v1.0.0

git signatures verify --trustdb release-team.db --min-count 1 v1.0.0

```



## Implementation ##



git-signatures is only a very simple set of wrappers to offer a shorthand

for git/gpg manipulations.



Signatures are just base64 encoded results of GPG signing a given git hash.

They are appended in the git-notes interface at refs/signatures.



These methods were chosen to make this setup easy to reason about and review.



A manual signing could be performed as:



```

  git rev-parse HEAD | gpg --sign | base64 -w0 | \

    git notes --ref refs/signatures append --file=-

  git push origin refs/signatures

```



A manual verification could be performed as:



```

git fetch origin refs/signatures

git notes merge -s cat_sort_uniq origin/refs/signatures

git notes --ref refs/signatures show | \

  xargs -L1 -I {} sh -c "echo {} | base64 -d | gpg -d"

```



## Notes ##



  Use at your own risk. You may be eaten by a grue.



  Questions/Comments?



  - IRC: [[email protected]/6697]()

  - Matrix: [@lrvick:matrix.org]()

  - Email: [[email protected]](mailto://[email protected])