From: Eric Wong <e@yhbt.net>
To: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Cc: meta@public-inbox.org
Subject: Re: Attestation signatures in a separate ref
Date: Fri, 7 Feb 2020 18:49:19 -0600 [thread overview]
Message-ID: <20200208004919.GA4607@dcvr> (raw)
In-Reply-To: <20200207194841.yzd3oziv34vooiq5@chatter.i7.local>
Konstantin Ryabitsev <konstantin@linuxfoundation.org> wrote:
> Hello:
>
> While I was working on the minimalist feed stuff [1], it occurred to me
[1] being:
https://public-inbox.org/meta/20200121222924.ioz5ve2sg65zcuoy@chatter.i7.local/
> that even though we may sign each commit, someone would still need to
> clone the entire repository to perform verification. What if instead of
> (or in addition to ) signing each commit in master, we have a separate ref
> containing just PGP-signed metadata of each message.
Seems like it could work if the indexer could be made to pick
the signature blob out quickly by Message-ID w/o having to
scan the full history.
One advantage this has is a developer could perform the
signature after-the-fact on a secure machine; while initially
developing and sending patches from a machine they don't trust.
> refs/heads/master:m
> From: Foo Foo <foo@example.com>
> To: linux-kernel@vger.kernel.org
> Message-Id: <git-foo-bar@foo-bar.local>
> Date: Fri, 7 Feb 2020 13:43:34 -0500
> Subject: [PATCH] add foo to bar
>
> We need bar in foo!
>
> Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
> ---
> foo | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/foo b/foo
> index 257cc56..3bd1f0e 100644
> --- a/foo
> +++ b/foo
> @@ -1 +1,2 @@
> foo
> +bar
> --
> 2.24.1
>
> refs/heads/mailinfo:m
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Message-Id: git-foo-bar@foo-bar.local
> Full-SHA256: 2da2c0088c380f4cc5bf7bfdc75cb02b67ff806b712c42ea325ca33dffa57a7f
> Message-SHA256: 31838769c24277114191c9595fe5ffc619a22f892a23c6812d090d2cac13e1dc
> Patch-SHA256: 3ea940267d098d3e4d87d5475403197006956ea9fcbb9d84f37aa804c6cd8943
> -----BEGIN PGP SIGNATURE-----
>
> iHUEARYIAB0WIQR2vl2yUnHhSB5njDW2xBzjVmSZbAUCXj22ZAAKCRC2xBzjVmSZ
> ....
> 0SJaB7csojQUzZBzX1Ntx9F+OzNy8gY=
> =lvaU
> -----END PGP SIGNATURE-----
>
> Full-SHA256 contains verbatim contents of master:m, while
> Message/Patch-SHA256 contains the "msg" and "patch" output of "git
> mailinfo". Separating it this way would allow someone to verify the
> contents of a message even if it has been modified to remove headers or
> mime-parts, e.g. for the purposes of creating a "git am" friendly mbox
> file.
I'm not sure if Full-SHA256 is worthwhile. Message-SHA256 could
include From/Date/Subject (e.g. the stdout of git-mailinfo) and
that'd be all the info necessary.
If anything, the git blob OID should be there instead of
Full-SHA256. Having the git blob OID would make verifying the
full history of signatures possible w/o having to build a
Message-ID-based indexer (but they'd still need a full clone).
> The alternative is making these notes on the commits, but I believe that
> has important scaling impacts.
git's also looking to get reftable support to make notes more
scalable, but a bunch of similar proposals haven't worked out
over the years, so far... But notes would also interact badly
with -edit and -purge rewriting history.
> What do you think?
Seems doable, but then again hardly any kernel developers sign
stuff. Maybe improving UI/UX can change that, I don't know...
prev parent reply other threads:[~2020-02-08 0:49 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-07 19:48 Attestation signatures in a separate ref Konstantin Ryabitsev
2020-02-08 0:49 ` Eric Wong [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://public-inbox.org/README
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200208004919.GA4607@dcvr \
--to=e@yhbt.net \
--cc=konstantin@linuxfoundation.org \
--cc=meta@public-inbox.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/public-inbox.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).