user/dev discussion of public-inbox itself
 help / color / Atom feed
From: Eric Wong <e@yhbt.net>
To: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Cc: meta@public-inbox.org
Subject: Re: Attestation signatures in a separate ref
Date: Fri, 7 Feb 2020 18:49:19 -0600
Message-ID: <20200208004919.GA4607@dcvr> (raw)
In-Reply-To: <20200207194841.yzd3oziv34vooiq5@chatter.i7.local>

Konstantin Ryabitsev <konstantin@linuxfoundation.org> wrote:
> Hello:
> 
> While I was working on the minimalist feed stuff [1], it occurred to me 

[1] being:
https://public-inbox.org/meta/20200121222924.ioz5ve2sg65zcuoy@chatter.i7.local/

> that even though we may sign each commit, someone would still need to 
> clone the entire repository to perform verification. What if instead of 
> (or in addition to ) signing each commit in master, we have a separate ref
> containing just PGP-signed metadata of each message.

Seems like it could work if the indexer could be made to pick
the signature blob out quickly by Message-ID w/o having to
scan the full history.

One advantage this has is a developer could perform the
signature after-the-fact on a secure machine; while initially
developing and sending patches from a machine they don't trust.

> refs/heads/master:m
>   From: Foo Foo <foo@example.com>
>   To: linux-kernel@vger.kernel.org
>   Message-Id: <git-foo-bar@foo-bar.local>
>   Date: Fri, 7 Feb 2020 13:43:34 -0500
>   Subject: [PATCH] add foo to bar
> 
>   We need bar in foo!
> 
>   Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
>   ---
>    foo | 1 +
>    1 file changed, 1 insertion(+)
> 
>   diff --git a/foo b/foo
>   index 257cc56..3bd1f0e 100644
>   --- a/foo
>   +++ b/foo
>   @@ -1 +1,2 @@
>    foo
>   +bar
>   --
>   2.24.1
> 
> refs/heads/mailinfo:m
>   -----BEGIN PGP SIGNED MESSAGE-----
>   Hash: SHA256
> 
>   Message-Id: git-foo-bar@foo-bar.local
>   Full-SHA256: 2da2c0088c380f4cc5bf7bfdc75cb02b67ff806b712c42ea325ca33dffa57a7f
>   Message-SHA256: 31838769c24277114191c9595fe5ffc619a22f892a23c6812d090d2cac13e1dc
>   Patch-SHA256: 3ea940267d098d3e4d87d5475403197006956ea9fcbb9d84f37aa804c6cd8943
>   -----BEGIN PGP SIGNATURE-----
> 
>   iHUEARYIAB0WIQR2vl2yUnHhSB5njDW2xBzjVmSZbAUCXj22ZAAKCRC2xBzjVmSZ
>   ....
>   0SJaB7csojQUzZBzX1Ntx9F+OzNy8gY=
>   =lvaU
>   -----END PGP SIGNATURE-----
> 
> Full-SHA256 contains verbatim contents of master:m, while 
> Message/Patch-SHA256 contains the "msg" and "patch" output of "git 
> mailinfo". Separating it this way would allow someone to verify the 
> contents of a message even if it has been modified to remove headers or 
> mime-parts, e.g. for the purposes of creating a "git am" friendly mbox 
> file.

I'm not sure if Full-SHA256 is worthwhile.  Message-SHA256 could
include From/Date/Subject (e.g. the stdout of git-mailinfo) and
that'd be all the info necessary.

If anything, the git blob OID should be there instead of
Full-SHA256.  Having the git blob OID would make verifying the
full history of signatures possible w/o having to build a
Message-ID-based indexer (but they'd still need a full clone).

> The alternative is making these notes on the commits, but I believe that 
> has important scaling impacts.

git's also looking to get reftable support to make notes more
scalable, but a bunch of similar proposals haven't worked out
over the years, so far...  But notes would also interact badly
with -edit and -purge rewriting history.

> What do you think?

Seems doable, but then again hardly any kernel developers sign
stuff.  Maybe improving UI/UX can change that, I don't know...

      reply index

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-07 19:48 Konstantin Ryabitsev
2020-02-08  0:49 ` Eric Wong [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://public-inbox.org/README

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200208004919.GA4607@dcvr \
    --to=e@yhbt.net \
    --cc=konstantin@linuxfoundation.org \
    --cc=meta@public-inbox.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

user/dev discussion of public-inbox itself

Archives are clonable:
	git clone --mirror https://public-inbox.org/meta
	git clone --mirror http://czquwvybam4bgbro.onion/meta
	git clone --mirror http://hjrcffqmbrq6wope.onion/meta
	git clone --mirror http://ou63pmih66umazou.onion/meta

Example config snippet for mirrors

Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.mail.public-inbox.meta
	nntp://ou63pmih66umazou.onion/inbox.comp.mail.public-inbox.meta
	nntp://czquwvybam4bgbro.onion/inbox.comp.mail.public-inbox.meta
	nntp://hjrcffqmbrq6wope.onion/inbox.comp.mail.public-inbox.meta
	nntp://news.gmane.io/gmane.mail.public-inbox.general

 note: .onion URLs require Tor: https://www.torproject.org/

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git