* Attestation signatures in a separate ref
@ 2020-02-07 19:48 Konstantin Ryabitsev
2020-02-08 0:49 ` Eric Wong
0 siblings, 1 reply; 2+ messages in thread
From: Konstantin Ryabitsev @ 2020-02-07 19:48 UTC (permalink / raw)
To: meta
Hello:
While I was working on the minimalist feed stuff [1], it occurred to me
that even though we may sign each commit, someone would still need to
clone the entire repository to perform verification. What if instead of
(or in addition to ) signing each commit in master, we have a separate ref
containing just PGP-signed metadata of each message.
refs/heads/master:m
From: Foo Foo <foo@example.com>
To: linux-kernel@vger.kernel.org
Message-Id: <git-foo-bar@foo-bar.local>
Date: Fri, 7 Feb 2020 13:43:34 -0500
Subject: [PATCH] add foo to bar
We need bar in foo!
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
---
foo | 1 +
1 file changed, 1 insertion(+)
diff --git a/foo b/foo
index 257cc56..3bd1f0e 100644
--- a/foo
+++ b/foo
@@ -1 +1,2 @@
foo
+bar
--
2.24.1
refs/heads/mailinfo:m
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Message-Id: git-foo-bar@foo-bar.local
Full-SHA256: 2da2c0088c380f4cc5bf7bfdc75cb02b67ff806b712c42ea325ca33dffa57a7f
Message-SHA256: 31838769c24277114191c9595fe5ffc619a22f892a23c6812d090d2cac13e1dc
Patch-SHA256: 3ea940267d098d3e4d87d5475403197006956ea9fcbb9d84f37aa804c6cd8943
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQR2vl2yUnHhSB5njDW2xBzjVmSZbAUCXj22ZAAKCRC2xBzjVmSZ
....
0SJaB7csojQUzZBzX1Ntx9F+OzNy8gY=
=lvaU
-----END PGP SIGNATURE-----
Full-SHA256 contains verbatim contents of master:m, while
Message/Patch-SHA256 contains the "msg" and "patch" output of "git
mailinfo". Separating it this way would allow someone to verify the
contents of a message even if it has been modified to remove headers or
mime-parts, e.g. for the purposes of creating a "git am" friendly mbox
file.
The alternative is making these notes on the commits, but I believe that
has important scaling impacts.
What do you think?
-K
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Attestation signatures in a separate ref
2020-02-07 19:48 Attestation signatures in a separate ref Konstantin Ryabitsev
@ 2020-02-08 0:49 ` Eric Wong
0 siblings, 0 replies; 2+ messages in thread
From: Eric Wong @ 2020-02-08 0:49 UTC (permalink / raw)
To: Konstantin Ryabitsev; +Cc: meta
Konstantin Ryabitsev <konstantin@linuxfoundation.org> wrote:
> Hello:
>
> While I was working on the minimalist feed stuff [1], it occurred to me
[1] being:
https://public-inbox.org/meta/20200121222924.ioz5ve2sg65zcuoy@chatter.i7.local/
> that even though we may sign each commit, someone would still need to
> clone the entire repository to perform verification. What if instead of
> (or in addition to ) signing each commit in master, we have a separate ref
> containing just PGP-signed metadata of each message.
Seems like it could work if the indexer could be made to pick
the signature blob out quickly by Message-ID w/o having to
scan the full history.
One advantage this has is a developer could perform the
signature after-the-fact on a secure machine; while initially
developing and sending patches from a machine they don't trust.
> refs/heads/master:m
> From: Foo Foo <foo@example.com>
> To: linux-kernel@vger.kernel.org
> Message-Id: <git-foo-bar@foo-bar.local>
> Date: Fri, 7 Feb 2020 13:43:34 -0500
> Subject: [PATCH] add foo to bar
>
> We need bar in foo!
>
> Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
> ---
> foo | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/foo b/foo
> index 257cc56..3bd1f0e 100644
> --- a/foo
> +++ b/foo
> @@ -1 +1,2 @@
> foo
> +bar
> --
> 2.24.1
>
> refs/heads/mailinfo:m
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Message-Id: git-foo-bar@foo-bar.local
> Full-SHA256: 2da2c0088c380f4cc5bf7bfdc75cb02b67ff806b712c42ea325ca33dffa57a7f
> Message-SHA256: 31838769c24277114191c9595fe5ffc619a22f892a23c6812d090d2cac13e1dc
> Patch-SHA256: 3ea940267d098d3e4d87d5475403197006956ea9fcbb9d84f37aa804c6cd8943
> -----BEGIN PGP SIGNATURE-----
>
> iHUEARYIAB0WIQR2vl2yUnHhSB5njDW2xBzjVmSZbAUCXj22ZAAKCRC2xBzjVmSZ
> ....
> 0SJaB7csojQUzZBzX1Ntx9F+OzNy8gY=
> =lvaU
> -----END PGP SIGNATURE-----
>
> Full-SHA256 contains verbatim contents of master:m, while
> Message/Patch-SHA256 contains the "msg" and "patch" output of "git
> mailinfo". Separating it this way would allow someone to verify the
> contents of a message even if it has been modified to remove headers or
> mime-parts, e.g. for the purposes of creating a "git am" friendly mbox
> file.
I'm not sure if Full-SHA256 is worthwhile. Message-SHA256 could
include From/Date/Subject (e.g. the stdout of git-mailinfo) and
that'd be all the info necessary.
If anything, the git blob OID should be there instead of
Full-SHA256. Having the git blob OID would make verifying the
full history of signatures possible w/o having to build a
Message-ID-based indexer (but they'd still need a full clone).
> The alternative is making these notes on the commits, but I believe that
> has important scaling impacts.
git's also looking to get reftable support to make notes more
scalable, but a bunch of similar proposals haven't worked out
over the years, so far... But notes would also interact badly
with -edit and -purge rewriting history.
> What do you think?
Seems doable, but then again hardly any kernel developers sign
stuff. Maybe improving UI/UX can change that, I don't know...
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-02-08 0:49 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-07 19:48 Attestation signatures in a separate ref Konstantin Ryabitsev
2020-02-08 0:49 ` Eric Wong
Code repositories for project(s) associated with this public inbox
https://80x24.org/public-inbox.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).