From: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
To: meta@public-inbox.org
Subject: Attestation signatures in a separate ref
Date: Fri, 7 Feb 2020 14:48:41 -0500 [thread overview]
Message-ID: <20200207194841.yzd3oziv34vooiq5@chatter.i7.local> (raw)
Hello:
While I was working on the minimalist feed stuff [1], it occurred to me
that even though we may sign each commit, someone would still need to
clone the entire repository to perform verification. What if instead of
(or in addition to ) signing each commit in master, we have a separate ref
containing just PGP-signed metadata of each message.
refs/heads/master:m
From: Foo Foo <foo@example.com>
To: linux-kernel@vger.kernel.org
Message-Id: <git-foo-bar@foo-bar.local>
Date: Fri, 7 Feb 2020 13:43:34 -0500
Subject: [PATCH] add foo to bar
We need bar in foo!
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
---
foo | 1 +
1 file changed, 1 insertion(+)
diff --git a/foo b/foo
index 257cc56..3bd1f0e 100644
--- a/foo
+++ b/foo
@@ -1 +1,2 @@
foo
+bar
--
2.24.1
refs/heads/mailinfo:m
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Message-Id: git-foo-bar@foo-bar.local
Full-SHA256: 2da2c0088c380f4cc5bf7bfdc75cb02b67ff806b712c42ea325ca33dffa57a7f
Message-SHA256: 31838769c24277114191c9595fe5ffc619a22f892a23c6812d090d2cac13e1dc
Patch-SHA256: 3ea940267d098d3e4d87d5475403197006956ea9fcbb9d84f37aa804c6cd8943
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQR2vl2yUnHhSB5njDW2xBzjVmSZbAUCXj22ZAAKCRC2xBzjVmSZ
....
0SJaB7csojQUzZBzX1Ntx9F+OzNy8gY=
=lvaU
-----END PGP SIGNATURE-----
Full-SHA256 contains verbatim contents of master:m, while
Message/Patch-SHA256 contains the "msg" and "patch" output of "git
mailinfo". Separating it this way would allow someone to verify the
contents of a message even if it has been modified to remove headers or
mime-parts, e.g. for the purposes of creating a "git am" friendly mbox
file.
The alternative is making these notes on the commits, but I believe that
has important scaling impacts.
What do you think?
-K
next reply other threads:[~2020-02-07 19:48 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-07 19:48 Konstantin Ryabitsev [this message]
2020-02-08 0:49 ` Attestation signatures in a separate ref Eric Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://public-inbox.org/README
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200207194841.yzd3oziv34vooiq5@chatter.i7.local \
--to=konstantin@linuxfoundation.org \
--cc=meta@public-inbox.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/public-inbox.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).