Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/sug0/git-signify

Harness the power of signify(1) to sign arbitrary git objects
https://github.com/sug0/git-signify

cryptography git openbsd rust security signature signify

Last synced: 9 days ago
JSON representation

Harness the power of signify(1) to sign arbitrary git objects

Host: GitHub
URL: https://github.com/sug0/git-signify
Owner: sug0
License: mit
Created: 2023-07-20T01:51:42.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2024-12-29T20:03:45.000Z (about 2 months ago)
Last Synced: 2024-12-29T20:19:02.362Z (about 2 months ago)
Topics: cryptography, git, openbsd, rust, security, signature, signify
Language: Rust
Homepage:
Size: 79.1 KB
Stars: 3
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# git-signify

A tool to sign arbitrary objects in a git repository.

## Generating keys

Signing keys can be generated with [`signify`], from the OpenBSD project.

```
$ signify -G -p newkey.pub -s newkey.sec
```

If you do not wish to encrypt your keys, pass the `-n` flag to the
command line of `signify`.

Alternatively, [`minisign`] keys may also be used. This project provides
a more portable alternative to [`signify`].

```
$ minisign -G -p newkey.pub -s newkey.sec
```

`git-signify` always assumes that [`minisign`] keys are encrypted,
albeit the CLI tool allows generating non-encrypted keys.

[`signify`]: https://man.openbsd.org/signify.1
[`minisign`]: https://github.com/jedisct1/minisign

## Basic usage

This program keeps track of signatures made by a keypair with a given
fingerprint as git references. References can be fetched from and
pushed to a remote.

```
$ git signify pull origin
$ git signify push origin
```

Verification can be done with `git signify verify`. For example, to
verify a release of `git-signify` itself:

```
$ git pull --tags
$ git signify pull
$ git signify verify -k <(curl -sfL https://gandas.us.to/keys/git.pub) v0.7.0
$ git signify verify -k <(curl -sfL https://gandas.us.to/keys/git_minisign.pub) v0.7.0
```

To sign git revisions, run something akin to:

```
$ git signify sign -k v0.7.0
```

## In-depth

### Brief overview of how this program works

`git-signify` writes a tree object to some git repository containing the
following blobs:

```
100644 blob aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa algorithm
100644 blob bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb signature
100644 blob cccccccccccccccccccccccccccccccccccccccc version
```

Another git object `object` may be present in the tree, if a signature
over a blob or another tree is being made. This `object` is a pointer
to the respective git object being signed over. On the other hand,
`signature` contains the base64 encoded `signify` or `minisign` signature
over the raw (20 byte) id of `object`. The remaining blobs, `version` and
`algorithm`, represent the current version of the `git-signify` tree format
and the algorithm (`minisign` or `signify`) being used, respectively.

The tree is then committed along with a potential parent, which is the commit
hash being signed over, if any. The resulting commit's hash is returned by
`git signify raw sign`.

Signatures end up in `refs/signify/signatures/${key_fingerprint}/${sig_hash}`,
where `$key_fingerprint` can be computed by `git signify fingerprint`, and
`$sig_hash` is a hash returned by `git signify raw sign`.

### Why, we have GnuPG

GPG sucks.