send PGP signed commits/patches with git-send-email(1)

send PGP signed commits/patches with git-send-email(1)

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 711 bytes --]

Hi,

In Kernel Recipes this month [1], Greg mentioned that git-send-email(1) 
could be used together with gpg(1) to verify authenticity of the sender.

I couldn't find any documentation about it, and if I create a patch from 
a commit that was signed (-S), the PGP signature is not part of the patch.

So, is there a way to PGP-authenticate patches?
If not, could this be added to git(1)?

$ git --version
git version 2.36.1

Thanks,

Alex


[1]: <https://www.youtube.com/watch?v=nhJqaZT94z0>

      - Start of thread Q&A in 1:56:30.
      - Greg's answer starts in 1:56:57
      - Specific git-send-email(1) part in 1:57:50

-- 
Alejandro Colomar
<http://www.alejandro-colomar.es/>

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: send PGP signed commits/patches with git-send-email(1)

[Fabian Stelzer]

On 17.06.2022 12:24, Alejandro Colomar wrote:
>Hi,
>
>In Kernel Recipes this month [1], Greg mentioned that 
>git-send-email(1) could be used together with gpg(1) to verify 
>authenticity of the sender.

I think he is talking about GPG signing the email containing the patch and 
is not referring to git commit signing.
Using GPG to sign your whole email adds trust to a whole lot more than just 
the sent patch. It can verify the authenticity of the sender, and all the 
rest of the emails content and follow up discussions / review.

Including the commits signature in the email might have some benefit but I'm 
not sure about how much. It could decouple the trust of the patches 
integrity of the transport used to publish it. For example you could forward 
/ copy a patch and the recipient could still verify the original authors 
signature.

Konstantin Ryabitsev has done some work in this area especially for kernel 
development by using email headers:  
https://people.kernel.org/monsieuricon/end-to-end-patch-attestation-with-patatt-and-b4
https://github.com/mricon/patatt

>
>I couldn't find any documentation about it, and if I create a patch 
>from a commit that was signed (-S), the PGP signature is not part of 
>the patch.
>
>So, is there a way to PGP-authenticate patches?
>If not, could this be added to git(1)?
>
>$ git --version
>git version 2.36.1
>
>Thanks,
>
>Alex
>
>
>[1]: <https://www.youtube.com/watch?v=nhJqaZT94z0>
>
>     - Start of thread Q&A in 1:56:30.
>     - Greg's answer starts in 1:56:57
>     - Specific git-send-email(1) part in 1:57:50
>
>-- 
>Alejandro Colomar
><http://www.alejandro-colomar.es/>

Re: send PGP signed commits/patches with git-send-email(1)

[Konstantin Ryabitsev]

On Fri, Jun 17, 2022 at 02:00:16PM +0200, Fabian Stelzer wrote:
> Konstantin Ryabitsev has done some work in this area especially for kernel
> development by using email headers:
> https://people.kernel.org/monsieuricon/end-to-end-patch-attestation-with-patatt-and-b4
> https://github.com/mricon/patatt

Greg refers specifically to patatt signatures. They aren't really specific to
kernel development at all -- they can be used for any patches sent via mail.

b4 (the tool used by many maintainers to retrieve patches from lists) will
check patatt-style signatures (in addition to DKIM signatures) to help verify
that the patches come from trusted sources and aren't someone pretending to be
someone else.

-K

Re: send PGP signed commits/patches with git-send-email(1)

[Greg KH]

On Fri, Jun 17, 2022 at 08:12:12AM -0400, Konstantin Ryabitsev wrote:
> On Fri, Jun 17, 2022 at 02:00:16PM +0200, Fabian Stelzer wrote:
> > Konstantin Ryabitsev has done some work in this area especially for kernel
> > development by using email headers:
> > https://people.kernel.org/monsieuricon/end-to-end-patch-attestation-with-patatt-and-b4
> > https://github.com/mricon/patatt
> 
> Greg refers specifically to patatt signatures. They aren't really specific to
> kernel development at all -- they can be used for any patches sent via mail.
> 
> b4 (the tool used by many maintainers to retrieve patches from lists) will
> check patatt-style signatures (in addition to DKIM signatures) to help verify
> that the patches come from trusted sources and aren't someone pretending to be
> someone else.

Yes, I was referring to patatt here, as linked by Konstantin's blog post
above.  It's part of the b4 tool (well, a git subproject in it), real
link is at:
	https://git.kernel.org/pub/scm/utils/patatt/patatt.git

thanks,

greg k-h

Re: send PGP signed commits/patches with git-send-email(1)

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 1304 bytes --]

Hi!

On 6/21/22 13:16, Greg KH wrote:
> On Fri, Jun 17, 2022 at 08:12:12AM -0400, Konstantin Ryabitsev wrote:
>> On Fri, Jun 17, 2022 at 02:00:16PM +0200, Fabian Stelzer wrote:
>>> Konstantin Ryabitsev has done some work in this area especially for kernel
>>> development by using email headers:
>>> https://people.kernel.org/monsieuricon/end-to-end-patch-attestation-with-patatt-and-b4
>>> https://github.com/mricon/patatt
>>
>> Greg refers specifically to patatt signatures. They aren't really specific to
>> kernel development at all -- they can be used for any patches sent via mail.
>>
>> b4 (the tool used by many maintainers to retrieve patches from lists) will
>> check patatt-style signatures (in addition to DKIM signatures) to help verify
>> that the patches come from trusted sources and aren't someone pretending to be
>> someone else.
> 
> Yes, I was referring to patatt here, as linked by Konstantin's blog post
> above.  It's part of the b4 tool (well, a git subproject in it), real
> link is at:
> 	https://git.kernel.org/pub/scm/utils/patatt/patatt.git

Thank you all for the info.
It works like charm (I still need to learn b4(1), but patatt(1) is 
enough for me right now). :)

Cheers,

Alex

-- 
Alejandro Colomar
<http://www.alejandro-colomar.es/>

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: send PGP signed commits/patches with git-send-email(1)

[Greg KH]

On Tue, Jun 21, 2022 at 01:34:01PM +0200, Alejandro Colomar wrote:
> Hi!
> 
> On 6/21/22 13:16, Greg KH wrote:
> > On Fri, Jun 17, 2022 at 08:12:12AM -0400, Konstantin Ryabitsev wrote:
> > > On Fri, Jun 17, 2022 at 02:00:16PM +0200, Fabian Stelzer wrote:
> > > > Konstantin Ryabitsev has done some work in this area especially for kernel
> > > > development by using email headers:
> > > > https://people.kernel.org/monsieuricon/end-to-end-patch-attestation-with-patatt-and-b4
> > > > https://github.com/mricon/patatt
> > > 
> > > Greg refers specifically to patatt signatures. They aren't really specific to
> > > kernel development at all -- they can be used for any patches sent via mail.
> > > 
> > > b4 (the tool used by many maintainers to retrieve patches from lists) will
> > > check patatt-style signatures (in addition to DKIM signatures) to help verify
> > > that the patches come from trusted sources and aren't someone pretending to be
> > > someone else.
> > 
> > Yes, I was referring to patatt here, as linked by Konstantin's blog post
> > above.  It's part of the b4 tool (well, a git subproject in it), real
> > link is at:
> > 	https://git.kernel.org/pub/scm/utils/patatt/patatt.git
> 
> Thank you all for the info.
> It works like charm (I still need to learn b4(1), but patatt(1) is enough
> for me right now). :)

They are independent, patatt I use when sending patches, b4 I use when
accepting patches.  If you never have to accept patches, and read the
mailing lists using the normal way, no need to use b4.

thanks,

greg k-h

Re: send PGP signed commits/patches with git-send-email(1)

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 1887 bytes --]

Hi Greg,

On 6/21/22 13:45, Greg KH wrote:
> On Tue, Jun 21, 2022 at 01:34:01PM +0200, Alejandro Colomar wrote:
>> Hi!
>>
>> On 6/21/22 13:16, Greg KH wrote:
>>> On Fri, Jun 17, 2022 at 08:12:12AM -0400, Konstantin Ryabitsev wrote:
>>>> On Fri, Jun 17, 2022 at 02:00:16PM +0200, Fabian Stelzer wrote:
>>>>> Konstantin Ryabitsev has done some work in this area especially for kernel
>>>>> development by using email headers:
>>>>> https://people.kernel.org/monsieuricon/end-to-end-patch-attestation-with-patatt-and-b4
>>>>> https://github.com/mricon/patatt
>>>>
>>>> Greg refers specifically to patatt signatures. They aren't really specific to
>>>> kernel development at all -- they can be used for any patches sent via mail.
>>>>
>>>> b4 (the tool used by many maintainers to retrieve patches from lists) will
>>>> check patatt-style signatures (in addition to DKIM signatures) to help verify
>>>> that the patches come from trusted sources and aren't someone pretending to be
>>>> someone else.
>>>
>>> Yes, I was referring to patatt here, as linked by Konstantin's blog post
>>> above.  It's part of the b4 tool (well, a git subproject in it), real
>>> link is at:
>>> 	https://git.kernel.org/pub/scm/utils/patatt/patatt.git
>>
>> Thank you all for the info.
>> It works like charm (I still need to learn b4(1), but patatt(1) is enough
>> for me right now). :)
> 
> They are independent, patatt I use when sending patches, b4 I use when
> accepting patches.  If you never have to accept patches, and read the
> mailing lists using the normal way, no need to use b4.

Oh, I do need to accept patches, for the man-pages :)
But for now, the traffic isn't so high as to need to learn b4(1).
But yes, I would like to learn a bit more about it to simplify some things.

Cheers,

Alex


-- 
Alejandro Colomar
<http://www.alejandro-colomar.es/>

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]