From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: "Bernhard E. Reiter" <bernhard.reiter@intevation.de>
Cc: git@vger.kernel.org, gnupg-devel@gnupg.org
Subject: Re: Stable GnuPG interface, git should use GPGME
Date: Sat, 11 Mar 2017 00:10:31 +0000 [thread overview]
Message-ID: <20170311001031.f5534omsrzkrzfzb@genre.crustytoothpaste.net> (raw)
In-Reply-To: <201703101100.15214.bernhard.reiter@intevation.de>
[-- Attachment #1: Type: text/plain, Size: 3122 bytes --]
On Fri, Mar 10, 2017 at 11:00:07AM +0100, Bernhard E. Reiter wrote:
> My use case today was signing and git by default found the `gpg` binary by
> default and the command failed. The reason is that I have `gpg2` installed
> and most applications use it right away. So git failed signing because
> the .gnupg configuration of the user was not ready for the old `gpg` which is
> still installed on Debian GNU/Linux for purposes of the operating system. If
> git would have used libgpgme, gpgme would have choosen the most uptodate
> version of `gpg` available (or configured) without me intervening via
> gpg.program. Now because of this problem you could adding a check for `gpg2`
> and fallback to `gpg`, but even better would be to move to libgpgme. >:)
There are a couple potential problems I see with this approach. First,
I'd want to know whether gpgme supports gpgsm, which I know some people
use to sign commits and tags.
Another issue is what happens to the git verify-* --raw output. Some
people want the ability to script signature verification. This can be
really important when you have automated systems verifying tags and
commits.
For example, running the following commands, we can determine that Junio
signs his tags with SHA-1 (algorithm 2), while I sign my commits with
SHA-512 (algorithm 10).
genre ok % git verify-tag --raw v2.12.0 2>&1 | grep VALIDSIG
[GNUPG:] VALIDSIG E1F036B1FEE7221FC778ECEFB0B5E88696AFE6CB 2017-02-24 1487962205 0 4 0 1 2 00 96E07AF25771955980DAD10020D04E5A713660A7
genre ok % git verify-commit --raw object-id-part10 2>&1 | grep VALIDSIG
[GNUPG:] VALIDSIG 5FC3A781776B26DF87F70C37BF535D811F52F68B 2017-03-06 1488760639 0 4 0 1 10 00 88ACE9B29196305BA9947552F1BA225C0223B187
There's literally no other way to get this information at the moment
(which is why I added the --raw option). A gpgme implementation would
need to expose this same information, at which point, we might as well
have used gpg directly.
This is not an idle consideration; we have automated systems at work
that update software automatically and submit it for human review,
including verifying signatures and hashes. This saves hundreds of hours
of staff time and results in better security.
Because the amount of the gpg API we actually use is very small, a user
who wants to use a custom signature program (say, OpenBSD's signify),
can actually write a simple wrapper that mimics it and use that instead.
Finally, I work on a development system where work is done both as an
unprivileged user and as root. Because I use the same socket for both,
GnuPG screams bloody murder that the permissions are wrong. I know this
is secure in my scenario, but without a custom wrapper, I have to deal
with GnuPG polluting my terminal every time I sign a commit or a tag. A
gpgme implementation would need to honor the same wrapper script or
otherwise not scream to the terminal.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 868 bytes --]
next prev parent reply other threads:[~2017-03-11 0:10 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-10 10:00 Stable GnuPG interface, git should use GPGME Bernhard E. Reiter
2017-03-10 14:23 ` Ævar Arnfjörð Bjarmason
2017-03-13 10:14 ` Michael J Gruber
2017-03-13 12:49 ` Bernhard E. Reiter
2017-03-14 10:39 ` Michael J Gruber
2017-03-17 9:56 ` Bernhard E. Reiter
2017-03-22 17:15 ` Werner Koch
2017-03-22 18:46 ` Peter Lebbing
2017-03-23 6:52 ` Werner Koch
2017-03-23 7:29 ` Bernhard E. Reiter
2017-03-23 10:56 ` Werner Koch
2017-03-13 10:30 ` Bernhard Reiter
2017-03-10 18:54 ` Linus Torvalds
2017-03-10 20:26 ` Theodore Ts'o
2017-03-13 11:14 ` Bernhard E. Reiter
2017-03-13 12:53 ` Jeff King
2017-03-11 0:10 ` brian m. carlson [this message]
2017-03-13 12:29 ` Bernhard E. Reiter
2017-03-13 19:48 ` Christian Neukirchen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170311001031.f5534omsrzkrzfzb@genre.crustytoothpaste.net \
--to=sandals@crustytoothpaste.net \
--cc=bernhard.reiter@intevation.de \
--cc=git@vger.kernel.org \
--cc=gnupg-devel@gnupg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).