* send PGP signed commits/patches with git-send-email(1) @ 2022-06-17 10:24 Alejandro Colomar 2022-06-17 12:00 ` Fabian Stelzer 0 siblings, 1 reply; 7+ messages in thread From: Alejandro Colomar @ 2022-06-17 10:24 UTC (permalink / raw) To: Git Mailing List; +Cc: Greg KH [-- Attachment #1.1: Type: text/plain, Size: 711 bytes --] Hi, In Kernel Recipes this month [1], Greg mentioned that git-send-email(1) could be used together with gpg(1) to verify authenticity of the sender. I couldn't find any documentation about it, and if I create a patch from a commit that was signed (-S), the PGP signature is not part of the patch. So, is there a way to PGP-authenticate patches? If not, could this be added to git(1)? $ git --version git version 2.36.1 Thanks, Alex [1]: <https://www.youtube.com/watch?v=nhJqaZT94z0> - Start of thread Q&A in 1:56:30. - Greg's answer starts in 1:56:57 - Specific git-send-email(1) part in 1:57:50 -- Alejandro Colomar <http://www.alejandro-colomar.es/> [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: send PGP signed commits/patches with git-send-email(1) 2022-06-17 10:24 send PGP signed commits/patches with git-send-email(1) Alejandro Colomar @ 2022-06-17 12:00 ` Fabian Stelzer 2022-06-17 12:12 ` Konstantin Ryabitsev 0 siblings, 1 reply; 7+ messages in thread From: Fabian Stelzer @ 2022-06-17 12:00 UTC (permalink / raw) To: Alejandro Colomar; +Cc: Git Mailing List, Greg KH, Konstantin Ryabitsev On 17.06.2022 12:24, Alejandro Colomar wrote: >Hi, > >In Kernel Recipes this month [1], Greg mentioned that >git-send-email(1) could be used together with gpg(1) to verify >authenticity of the sender. I think he is talking about GPG signing the email containing the patch and is not referring to git commit signing. Using GPG to sign your whole email adds trust to a whole lot more than just the sent patch. It can verify the authenticity of the sender, and all the rest of the emails content and follow up discussions / review. Including the commits signature in the email might have some benefit but I'm not sure about how much. It could decouple the trust of the patches integrity of the transport used to publish it. For example you could forward / copy a patch and the recipient could still verify the original authors signature. Konstantin Ryabitsev has done some work in this area especially for kernel development by using email headers: https://people.kernel.org/monsieuricon/end-to-end-patch-attestation-with-patatt-and-b4 https://github.com/mricon/patatt > >I couldn't find any documentation about it, and if I create a patch >from a commit that was signed (-S), the PGP signature is not part of >the patch. > >So, is there a way to PGP-authenticate patches? >If not, could this be added to git(1)? > >$ git --version >git version 2.36.1 > >Thanks, > >Alex > > >[1]: <https://www.youtube.com/watch?v=nhJqaZT94z0> > > - Start of thread Q&A in 1:56:30. > - Greg's answer starts in 1:56:57 > - Specific git-send-email(1) part in 1:57:50 > >-- >Alejandro Colomar ><http://www.alejandro-colomar.es/> ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: send PGP signed commits/patches with git-send-email(1) 2022-06-17 12:00 ` Fabian Stelzer @ 2022-06-17 12:12 ` Konstantin Ryabitsev 2022-06-21 11:16 ` Greg KH 0 siblings, 1 reply; 7+ messages in thread From: Konstantin Ryabitsev @ 2022-06-17 12:12 UTC (permalink / raw) To: Fabian Stelzer; +Cc: Alejandro Colomar, Git Mailing List, Greg KH On Fri, Jun 17, 2022 at 02:00:16PM +0200, Fabian Stelzer wrote: > Konstantin Ryabitsev has done some work in this area especially for kernel > development by using email headers: > https://people.kernel.org/monsieuricon/end-to-end-patch-attestation-with-patatt-and-b4 > https://github.com/mricon/patatt Greg refers specifically to patatt signatures. They aren't really specific to kernel development at all -- they can be used for any patches sent via mail. b4 (the tool used by many maintainers to retrieve patches from lists) will check patatt-style signatures (in addition to DKIM signatures) to help verify that the patches come from trusted sources and aren't someone pretending to be someone else. -K ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: send PGP signed commits/patches with git-send-email(1) 2022-06-17 12:12 ` Konstantin Ryabitsev @ 2022-06-21 11:16 ` Greg KH 2022-06-21 11:34 ` Alejandro Colomar 0 siblings, 1 reply; 7+ messages in thread From: Greg KH @ 2022-06-21 11:16 UTC (permalink / raw) To: Fabian Stelzer, Alejandro Colomar, Git Mailing List; +Cc: Konstantin Ryabitsev On Fri, Jun 17, 2022 at 08:12:12AM -0400, Konstantin Ryabitsev wrote: > On Fri, Jun 17, 2022 at 02:00:16PM +0200, Fabian Stelzer wrote: > > Konstantin Ryabitsev has done some work in this area especially for kernel > > development by using email headers: > > https://people.kernel.org/monsieuricon/end-to-end-patch-attestation-with-patatt-and-b4 > > https://github.com/mricon/patatt > > Greg refers specifically to patatt signatures. They aren't really specific to > kernel development at all -- they can be used for any patches sent via mail. > > b4 (the tool used by many maintainers to retrieve patches from lists) will > check patatt-style signatures (in addition to DKIM signatures) to help verify > that the patches come from trusted sources and aren't someone pretending to be > someone else. Yes, I was referring to patatt here, as linked by Konstantin's blog post above. It's part of the b4 tool (well, a git subproject in it), real link is at: https://git.kernel.org/pub/scm/utils/patatt/patatt.git thanks, greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: send PGP signed commits/patches with git-send-email(1) 2022-06-21 11:16 ` Greg KH @ 2022-06-21 11:34 ` Alejandro Colomar 2022-06-21 11:45 ` Greg KH 0 siblings, 1 reply; 7+ messages in thread From: Alejandro Colomar @ 2022-06-21 11:34 UTC (permalink / raw) To: Greg KH, Konstantin Ryabitsev, Fabian Stelzer; +Cc: Git Mailing List [-- Attachment #1.1: Type: text/plain, Size: 1304 bytes --] Hi! On 6/21/22 13:16, Greg KH wrote: > On Fri, Jun 17, 2022 at 08:12:12AM -0400, Konstantin Ryabitsev wrote: >> On Fri, Jun 17, 2022 at 02:00:16PM +0200, Fabian Stelzer wrote: >>> Konstantin Ryabitsev has done some work in this area especially for kernel >>> development by using email headers: >>> https://people.kernel.org/monsieuricon/end-to-end-patch-attestation-with-patatt-and-b4 >>> https://github.com/mricon/patatt >> >> Greg refers specifically to patatt signatures. They aren't really specific to >> kernel development at all -- they can be used for any patches sent via mail. >> >> b4 (the tool used by many maintainers to retrieve patches from lists) will >> check patatt-style signatures (in addition to DKIM signatures) to help verify >> that the patches come from trusted sources and aren't someone pretending to be >> someone else. > > Yes, I was referring to patatt here, as linked by Konstantin's blog post > above. It's part of the b4 tool (well, a git subproject in it), real > link is at: > https://git.kernel.org/pub/scm/utils/patatt/patatt.git Thank you all for the info. It works like charm (I still need to learn b4(1), but patatt(1) is enough for me right now). :) Cheers, Alex -- Alejandro Colomar <http://www.alejandro-colomar.es/> [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: send PGP signed commits/patches with git-send-email(1) 2022-06-21 11:34 ` Alejandro Colomar @ 2022-06-21 11:45 ` Greg KH 2022-06-21 11:47 ` Alejandro Colomar 0 siblings, 1 reply; 7+ messages in thread From: Greg KH @ 2022-06-21 11:45 UTC (permalink / raw) To: Alejandro Colomar; +Cc: Konstantin Ryabitsev, Fabian Stelzer, Git Mailing List On Tue, Jun 21, 2022 at 01:34:01PM +0200, Alejandro Colomar wrote: > Hi! > > On 6/21/22 13:16, Greg KH wrote: > > On Fri, Jun 17, 2022 at 08:12:12AM -0400, Konstantin Ryabitsev wrote: > > > On Fri, Jun 17, 2022 at 02:00:16PM +0200, Fabian Stelzer wrote: > > > > Konstantin Ryabitsev has done some work in this area especially for kernel > > > > development by using email headers: > > > > https://people.kernel.org/monsieuricon/end-to-end-patch-attestation-with-patatt-and-b4 > > > > https://github.com/mricon/patatt > > > > > > Greg refers specifically to patatt signatures. They aren't really specific to > > > kernel development at all -- they can be used for any patches sent via mail. > > > > > > b4 (the tool used by many maintainers to retrieve patches from lists) will > > > check patatt-style signatures (in addition to DKIM signatures) to help verify > > > that the patches come from trusted sources and aren't someone pretending to be > > > someone else. > > > > Yes, I was referring to patatt here, as linked by Konstantin's blog post > > above. It's part of the b4 tool (well, a git subproject in it), real > > link is at: > > https://git.kernel.org/pub/scm/utils/patatt/patatt.git > > Thank you all for the info. > It works like charm (I still need to learn b4(1), but patatt(1) is enough > for me right now). :) They are independent, patatt I use when sending patches, b4 I use when accepting patches. If you never have to accept patches, and read the mailing lists using the normal way, no need to use b4. thanks, greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: send PGP signed commits/patches with git-send-email(1) 2022-06-21 11:45 ` Greg KH @ 2022-06-21 11:47 ` Alejandro Colomar 0 siblings, 0 replies; 7+ messages in thread From: Alejandro Colomar @ 2022-06-21 11:47 UTC (permalink / raw) To: Greg KH; +Cc: Konstantin Ryabitsev, Fabian Stelzer, Git Mailing List [-- Attachment #1.1: Type: text/plain, Size: 1887 bytes --] Hi Greg, On 6/21/22 13:45, Greg KH wrote: > On Tue, Jun 21, 2022 at 01:34:01PM +0200, Alejandro Colomar wrote: >> Hi! >> >> On 6/21/22 13:16, Greg KH wrote: >>> On Fri, Jun 17, 2022 at 08:12:12AM -0400, Konstantin Ryabitsev wrote: >>>> On Fri, Jun 17, 2022 at 02:00:16PM +0200, Fabian Stelzer wrote: >>>>> Konstantin Ryabitsev has done some work in this area especially for kernel >>>>> development by using email headers: >>>>> https://people.kernel.org/monsieuricon/end-to-end-patch-attestation-with-patatt-and-b4 >>>>> https://github.com/mricon/patatt >>>> >>>> Greg refers specifically to patatt signatures. They aren't really specific to >>>> kernel development at all -- they can be used for any patches sent via mail. >>>> >>>> b4 (the tool used by many maintainers to retrieve patches from lists) will >>>> check patatt-style signatures (in addition to DKIM signatures) to help verify >>>> that the patches come from trusted sources and aren't someone pretending to be >>>> someone else. >>> >>> Yes, I was referring to patatt here, as linked by Konstantin's blog post >>> above. It's part of the b4 tool (well, a git subproject in it), real >>> link is at: >>> https://git.kernel.org/pub/scm/utils/patatt/patatt.git >> >> Thank you all for the info. >> It works like charm (I still need to learn b4(1), but patatt(1) is enough >> for me right now). :) > > They are independent, patatt I use when sending patches, b4 I use when > accepting patches. If you never have to accept patches, and read the > mailing lists using the normal way, no need to use b4. Oh, I do need to accept patches, for the man-pages :) But for now, the traffic isn't so high as to need to learn b4(1). But yes, I would like to learn a bit more about it to simplify some things. Cheers, Alex -- Alejandro Colomar <http://www.alejandro-colomar.es/> [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-06-21 11:48 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-06-17 10:24 send PGP signed commits/patches with git-send-email(1) Alejandro Colomar 2022-06-17 12:00 ` Fabian Stelzer 2022-06-17 12:12 ` Konstantin Ryabitsev 2022-06-21 11:16 ` Greg KH 2022-06-21 11:34 ` Alejandro Colomar 2022-06-21 11:45 ` Greg KH 2022-06-21 11:47 ` Alejandro Colomar
Code repositories for project(s) associated with this public inbox https://80x24.org/mirrors/git.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).