Attestation signatures in a separate ref

Attestation signatures in a separate ref

[Konstantin Ryabitsev]

Hello:

While I was working on the minimalist feed stuff [1], it occurred to me 
that even though we may sign each commit, someone would still need to 
clone the entire repository to perform verification. What if instead of 
(or in addition to ) signing each commit in master, we have a separate ref
containing just PGP-signed metadata of each message.

refs/heads/master:m
  From: Foo Foo <foo@example.com>
  To: linux-kernel@vger.kernel.org
  Message-Id: <git-foo-bar@foo-bar.local>
  Date: Fri, 7 Feb 2020 13:43:34 -0500
  Subject: [PATCH] add foo to bar

  We need bar in foo!

  Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
  ---
   foo | 1 +
   1 file changed, 1 insertion(+)

  diff --git a/foo b/foo
  index 257cc56..3bd1f0e 100644
  --- a/foo
  +++ b/foo
  @@ -1 +1,2 @@
   foo
  +bar
  --
  2.24.1

refs/heads/mailinfo:m
  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA256

  Message-Id: git-foo-bar@foo-bar.local
  Full-SHA256: 2da2c0088c380f4cc5bf7bfdc75cb02b67ff806b712c42ea325ca33dffa57a7f
  Message-SHA256: 31838769c24277114191c9595fe5ffc619a22f892a23c6812d090d2cac13e1dc
  Patch-SHA256: 3ea940267d098d3e4d87d5475403197006956ea9fcbb9d84f37aa804c6cd8943
  -----BEGIN PGP SIGNATURE-----

  iHUEARYIAB0WIQR2vl2yUnHhSB5njDW2xBzjVmSZbAUCXj22ZAAKCRC2xBzjVmSZ
  ....
  0SJaB7csojQUzZBzX1Ntx9F+OzNy8gY=
  =lvaU
  -----END PGP SIGNATURE-----

Full-SHA256 contains verbatim contents of master:m, while 
Message/Patch-SHA256 contains the "msg" and "patch" output of "git 
mailinfo". Separating it this way would allow someone to verify the 
contents of a message even if it has been modified to remove headers or 
mime-parts, e.g. for the purposes of creating a "git am" friendly mbox 
file.

The alternative is making these notes on the commits, but I believe that 
has important scaling impacts.

What do you think?

-K

Re: Attestation signatures in a separate ref

[Eric Wong]

Konstantin Ryabitsev <konstantin@linuxfoundation.org> wrote:
> Hello:
> 
> While I was working on the minimalist feed stuff [1], it occurred to me 

[1] being:
https://public-inbox.org/meta/20200121222924.ioz5ve2sg65zcuoy@chatter.i7.local/

> that even though we may sign each commit, someone would still need to 
> clone the entire repository to perform verification. What if instead of 
> (or in addition to ) signing each commit in master, we have a separate ref
> containing just PGP-signed metadata of each message.

Seems like it could work if the indexer could be made to pick
the signature blob out quickly by Message-ID w/o having to
scan the full history.

One advantage this has is a developer could perform the
signature after-the-fact on a secure machine; while initially
developing and sending patches from a machine they don't trust.

> refs/heads/master:m
>   From: Foo Foo <foo@example.com>
>   To: linux-kernel@vger.kernel.org
>   Message-Id: <git-foo-bar@foo-bar.local>
>   Date: Fri, 7 Feb 2020 13:43:34 -0500
>   Subject: [PATCH] add foo to bar
> 
>   We need bar in foo!
> 
>   Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
>   ---
>    foo | 1 +
>    1 file changed, 1 insertion(+)
> 
>   diff --git a/foo b/foo
>   index 257cc56..3bd1f0e 100644
>   --- a/foo
>   +++ b/foo
>   @@ -1 +1,2 @@
>    foo
>   +bar
>   --
>   2.24.1
> 
> refs/heads/mailinfo:m
>   -----BEGIN PGP SIGNED MESSAGE-----
>   Hash: SHA256
> 
>   Message-Id: git-foo-bar@foo-bar.local
>   Full-SHA256: 2da2c0088c380f4cc5bf7bfdc75cb02b67ff806b712c42ea325ca33dffa57a7f
>   Message-SHA256: 31838769c24277114191c9595fe5ffc619a22f892a23c6812d090d2cac13e1dc
>   Patch-SHA256: 3ea940267d098d3e4d87d5475403197006956ea9fcbb9d84f37aa804c6cd8943
>   -----BEGIN PGP SIGNATURE-----
> 
>   iHUEARYIAB0WIQR2vl2yUnHhSB5njDW2xBzjVmSZbAUCXj22ZAAKCRC2xBzjVmSZ
>   ....
>   0SJaB7csojQUzZBzX1Ntx9F+OzNy8gY=
>   =lvaU
>   -----END PGP SIGNATURE-----
> 
> Full-SHA256 contains verbatim contents of master:m, while 
> Message/Patch-SHA256 contains the "msg" and "patch" output of "git 
> mailinfo". Separating it this way would allow someone to verify the 
> contents of a message even if it has been modified to remove headers or 
> mime-parts, e.g. for the purposes of creating a "git am" friendly mbox 
> file.

I'm not sure if Full-SHA256 is worthwhile.  Message-SHA256 could
include From/Date/Subject (e.g. the stdout of git-mailinfo) and
that'd be all the info necessary.

If anything, the git blob OID should be there instead of
Full-SHA256.  Having the git blob OID would make verifying the
full history of signatures possible w/o having to build a
Message-ID-based indexer (but they'd still need a full clone).

> The alternative is making these notes on the commits, but I believe that 
> has important scaling impacts.

git's also looking to get reftable support to make notes more
scalable, but a bunch of similar proposals haven't worked out
over the years, so far...  But notes would also interact badly
with -edit and -purge rewriting history.

> What do you think?

Seems doable, but then again hardly any kernel developers sign
stuff.  Maybe improving UI/UX can change that, I don't know...