tcarvalho.dev / git-signify
Harness the power of signify(1) to sign arbitrary git objects
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

update readme

Tiago Carvalho 1b871978 a42e77a4

+51 -22
+51 -22
README.md
··· 2 2 3 3 A tool to sign arbitrary objects in a git repository. 4 4 5 - ## Brief overview of how it works 5 + ## Generating keys 6 + 7 + Signing keys can be generated with [`signify`](https://man.openbsd.org/signify.1), 8 + from the OpenBSD project. 9 + 10 + ``` 11 + $ signify -G -p newkey.pub -s newkey.sec 12 + ``` 13 + 14 + If you do not wish to encrypt your keys, pass the `-n` flag to the 15 + command line of `signify`. 16 + 17 + ## Basic usage 18 + 19 + This program keeps track of signatures made by a keypair with a given 20 + fingerprint as git references. References can be fetched from and 21 + pushed to a remote. 22 + 23 + ``` 24 + $ git signify pull origin 25 + $ git signify push origin 26 + ``` 27 + 28 + Verification can be done with `git signify verify`. For example, to 29 + verify a release of `git-signify` itself: 30 + 31 + ``` 32 + $ git pull --tags 33 + $ git signify pull 34 + $ git signify verify -k keys/releases.pub v0.3.0 35 + ``` 36 + 37 + To sign git revisions, run something akin to: 38 + 39 + ``` 40 + $ git signify sign -k <secret-key> v0.3.0 41 + ``` 42 + 43 + ## In-depth 44 + 45 + ### Brief overview of this program works 6 46 7 - This tool writes a tree object to some git repository containing the 47 + `git-signify` writes a tree object to some git repository containing the 8 48 following blobs: 9 49 10 50 ``` ··· 16 56 to be signed, and `signature` stores the signature over `object`. The 17 57 tree's hash is returned by `git signify sign`. 18 58 19 - ## Generating keys 20 - 21 - Signing keys can be generated with [`signify`](https://man.openbsd.org/signify.1), 22 - from the OpenBSD project. 23 - 24 - ``` 25 - $ signify -G -p newkey.pub -s newkey.sec 26 - ``` 27 - 28 - If you do not wish to encrypt your keys, pass the `-n` flag to the 29 - command line of `signify`. 59 + ### Storing signatures in tags 30 60 31 - ## Usage 32 - 33 - The flags supported by this program and their respective documentation can 34 - be checked by running the following commands: 61 + To store signatures in tags, one must use the "raw" mode of `git-signify`. 62 + The raw flags supported by this program and their respective documentation 63 + can be checked by running the following commands: 35 64 36 65 ``` 37 - $ git signify -h 38 - $ git signify sign -h 39 - $ git signify verify -h 66 + $ git signify raw -h 67 + $ git signify raw sign -h 68 + $ git signify raw verify -h 40 69 ``` 41 70 42 - To push signatures to a remote, the suggested approach is the following: 71 + The suggested approach to store signatures in tags is the following: 43 72 44 73 ``` 45 74 $ SIGNATURE_TREE=$(git signify sign -k $SECRET_KEY $OBJECT_TO_SIGN) ··· 51 80 Verification can then be done with: 52 81 53 82 ``` 54 - $ git signify verify -p -k $PUBLIC_KEY $SIGNATURE_COMMIT^{tree} 83 + $ git signify raw verify -p -k $PUBLIC_KEY $SIGNATURE_COMMIT^{tree} 55 84 ```