tcarvalho.dev / git-signify
Harness the power of signify(1) to sign arbitrary git objects
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

update readme

Tiago Carvalho 110e1761 5a223082

+32 -33
+32 -33
README.md
··· 4 4 5 5 ## Generating keys 6 6 7 - Signing keys can be generated with [`signify`](https://man.openbsd.org/signify.1), 8 - from the OpenBSD project. 7 + Signing keys can be generated with [`signify`], from the OpenBSD project. 9 8 10 9 ``` 11 10 $ signify -G -p newkey.pub -s newkey.sec ··· 14 13 If you do not wish to encrypt your keys, pass the `-n` flag to the 15 14 command line of `signify`. 16 15 16 + Alternatively, [`minisign`] keys may also be used. This project provides 17 + a more portable alternative to [`signify`]. 18 + 19 + ``` 20 + $ minisign -G -p newkey.pub -s newkey.sec 21 + ``` 22 + 23 + `git-signify` always assumes that [`minisign`] keys are encrypted, 24 + albeit the CLI tool allows generating non-encrypted keys. 25 + 26 + [`signify`]: https://man.openbsd.org/signify.1 27 + [`minisign`]: https://github.com/jedisct1/minisign 28 + 17 29 ## Basic usage 18 30 19 31 This program keeps track of signatures made by a keypair with a given ··· 31 43 ``` 32 44 $ git pull --tags 33 45 $ git signify pull 34 - $ git signify verify -k <(curl -sfL https://gandas.us.to/keys/git.pub) v0.3.0 46 + $ git signify verify -k <(curl -sfL https://gandas.us.to/keys/git.pub) v0.7.0 47 + $ git signify verify -k <(curl -sfL https://gandas.us.to/keys/git_minisign.pub) v0.7.0 35 48 ``` 36 49 37 50 To sign git revisions, run something akin to: 38 51 39 52 ``` 40 - $ git signify sign -k <secret-key> v0.3.0 53 + $ git signify sign -k <secret-key> v0.7.0 41 54 ``` 42 55 43 56 ## In-depth ··· 48 61 following blobs: 49 62 50 63 ``` 51 - 100644 blob aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa object 64 + 100644 blob aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa algorithm 52 65 100644 blob bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb signature 66 + 100644 blob cccccccccccccccccccccccccccccccccccccccc version 53 67 ``` 54 68 55 - Where `object` stores the raw (20 byte) object id of some git object 56 - to be signed, and `signature` stores the signature over `object`. The 57 - tree's hash is returned by `git signify raw sign`. 69 + Another git object `object` may be present in the tree, if a signature 70 + over a blob or another tree is being made. This `object` is a pointer 71 + to the respective git object being signed over. On the other hand, 72 + `signature` contains the base64 encoded `signify` or `minisign` signature 73 + over the raw (20 byte) id of `object`. The remaining blobs, `version` and 74 + `algorithm`, represent the current version of the `git-signify` tree format 75 + and the algorithm (`minisign` or `signify`) being used, respectively. 58 76 59 - ### Storing signatures in tags 60 - 61 - To store signatures in tags, one must use the "raw" mode of `git-signify`. 62 - The raw flags supported by this program and their respective documentation 63 - can be checked by running the following commands: 64 - 65 - ``` 66 - $ git signify raw -h 67 - $ git signify raw sign -h 68 - $ git signify raw verify -h 69 - ``` 70 - 71 - The suggested approach to store signatures in tags is the following: 72 - 73 - ``` 74 - $ SIGNATURE_TREE=$(git signify raw sign -k $SECRET_KEY $OBJECT_TO_SIGN) 75 - $ SIGNATURE_COMMIT=$(git commit-tree $SIGNATURE_TREE -m Signature) 76 - $ git tag signature-$OBJECT_TO_SIGN $SIGNATURE_COMMIT 77 - $ git push --tags 78 - ``` 79 - 80 - Verification can then be done with: 77 + The tree is then committed along with a potential parent, which is the commit 78 + hash being signed over, if any. The resulting commit's hash is returned by 79 + `git signify raw sign`. 81 80 82 - ``` 83 - $ git signify raw verify -p -k $PUBLIC_KEY $SIGNATURE_COMMIT^{tree} 84 - ``` 81 + Signatures end up in `refs/signify/signatures/${key_fingerprint}/${sig_hash}`, 82 + where `$key_fingerprint` can be computed by `git signify fingerprint`, and 83 + `$sig_hash` is a hash returned by `git signify raw sign`.