Harness the power of signify(1) to sign arbitrary git objects
improve readme
+45
-1
+45
-1
README.md
+45
-1
README.md
···
2
2
3
3
A tool to sign arbitrary objects in a git repository.
4
4
5
+
## Brief overview of how it works
6
+
7
+
This tool writes a tree object to some git repository containing the
8
+
following blobs:
9
+
10
+
```
11
+
100644 blob aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa object
12
+
100644 blob bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb signature
13
+
```
14
+
15
+
Where `object` stores the raw (20 byte) object id of some git object
16
+
to be signed, and `signature` stores the signature over `object`. The
17
+
tree's hash is returned by `git signify sign`.
18
+
19
+
## Generating keys
20
+
21
+
Signing keys can be generated with [`signify`](https://man.openbsd.org/signify.1),
22
+
from the OpenBSD project.
23
+
24
+
```
25
+
$ signify -G -p newkey.pub -s newkey.sec
26
+
```
27
+
28
+
If you do not wish to encrypt your keys, pass the `-n` flag to the
29
+
command line of `signify`.
30
+
5
31
## Usage
32
+
33
+
The flags supported by this program and their respective documentation can
34
+
be checked by running the following commands:
6
35
7
36
```
8
37
$ git signify -h
38
+
$ git signify sign -h
39
+
$ git signify verify -h
9
40
```
10
41
11
-
Keys can be generated with [`signify`](https://man.openbsd.org/signify.1).
42
+
To push signatures to a remote, the suggested approach is the following:
43
+
44
+
```
45
+
$ SIGNATURE_TREE=$(git signify sign -k $SECRET_KEY $OBJECT_TO_SIGN)
46
+
$ SIGNATURE_COMMIT=$(git commit-tree $SIGNATURE_TREE -m Signature)
47
+
$ git tag signature-$OBJECT_TO_SIGN $SIGNATURE_COMMIT
48
+
$ git push --tags
49
+
```
50
+
51
+
Verification can then be done with:
52
+
53
+
```
54
+
$ git signify verify -p -k $PUBLIC_KEY $SIGNATURE_COMMIT^{tree}
55
+
```