user/dev discussion of public-inbox itself
 help / color / Atom feed
* Attestation signatures in a separate ref
@ 2020-02-07 19:48 Konstantin Ryabitsev
  2020-02-08  0:49 ` Eric Wong
  0 siblings, 1 reply; 2+ messages in thread
From: Konstantin Ryabitsev @ 2020-02-07 19:48 UTC (permalink / raw)
  To: meta

Hello:

While I was working on the minimalist feed stuff [1], it occurred to me 
that even though we may sign each commit, someone would still need to 
clone the entire repository to perform verification. What if instead of 
(or in addition to ) signing each commit in master, we have a separate ref
containing just PGP-signed metadata of each message.

refs/heads/master:m
  From: Foo Foo <foo@example.com>
  To: linux-kernel@vger.kernel.org
  Message-Id: <git-foo-bar@foo-bar.local>
  Date: Fri, 7 Feb 2020 13:43:34 -0500
  Subject: [PATCH] add foo to bar

  We need bar in foo!

  Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
  ---
   foo | 1 +
   1 file changed, 1 insertion(+)

  diff --git a/foo b/foo
  index 257cc56..3bd1f0e 100644
  --- a/foo
  +++ b/foo
  @@ -1 +1,2 @@
   foo
  +bar
  --
  2.24.1

refs/heads/mailinfo:m
  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA256

  Message-Id: git-foo-bar@foo-bar.local
  Full-SHA256: 2da2c0088c380f4cc5bf7bfdc75cb02b67ff806b712c42ea325ca33dffa57a7f
  Message-SHA256: 31838769c24277114191c9595fe5ffc619a22f892a23c6812d090d2cac13e1dc
  Patch-SHA256: 3ea940267d098d3e4d87d5475403197006956ea9fcbb9d84f37aa804c6cd8943
  -----BEGIN PGP SIGNATURE-----

  iHUEARYIAB0WIQR2vl2yUnHhSB5njDW2xBzjVmSZbAUCXj22ZAAKCRC2xBzjVmSZ
  ....
  0SJaB7csojQUzZBzX1Ntx9F+OzNy8gY=
  =lvaU
  -----END PGP SIGNATURE-----

Full-SHA256 contains verbatim contents of master:m, while 
Message/Patch-SHA256 contains the "msg" and "patch" output of "git 
mailinfo". Separating it this way would allow someone to verify the 
contents of a message even if it has been modified to remove headers or 
mime-parts, e.g. for the purposes of creating a "git am" friendly mbox 
file.

The alternative is making these notes on the commits, but I believe that 
has important scaling impacts.

What do you think?

-K

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Attestation signatures in a separate ref
  2020-02-07 19:48 Attestation signatures in a separate ref Konstantin Ryabitsev
@ 2020-02-08  0:49 ` Eric Wong
  0 siblings, 0 replies; 2+ messages in thread
From: Eric Wong @ 2020-02-08  0:49 UTC (permalink / raw)
  To: Konstantin Ryabitsev; +Cc: meta

Konstantin Ryabitsev <konstantin@linuxfoundation.org> wrote:
> Hello:
> 
> While I was working on the minimalist feed stuff [1], it occurred to me 

[1] being:
https://public-inbox.org/meta/20200121222924.ioz5ve2sg65zcuoy@chatter.i7.local/

> that even though we may sign each commit, someone would still need to 
> clone the entire repository to perform verification. What if instead of 
> (or in addition to ) signing each commit in master, we have a separate ref
> containing just PGP-signed metadata of each message.

Seems like it could work if the indexer could be made to pick
the signature blob out quickly by Message-ID w/o having to
scan the full history.

One advantage this has is a developer could perform the
signature after-the-fact on a secure machine; while initially
developing and sending patches from a machine they don't trust.

> refs/heads/master:m
>   From: Foo Foo <foo@example.com>
>   To: linux-kernel@vger.kernel.org
>   Message-Id: <git-foo-bar@foo-bar.local>
>   Date: Fri, 7 Feb 2020 13:43:34 -0500
>   Subject: [PATCH] add foo to bar
> 
>   We need bar in foo!
> 
>   Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
>   ---
>    foo | 1 +
>    1 file changed, 1 insertion(+)
> 
>   diff --git a/foo b/foo
>   index 257cc56..3bd1f0e 100644
>   --- a/foo
>   +++ b/foo
>   @@ -1 +1,2 @@
>    foo
>   +bar
>   --
>   2.24.1
> 
> refs/heads/mailinfo:m
>   -----BEGIN PGP SIGNED MESSAGE-----
>   Hash: SHA256
> 
>   Message-Id: git-foo-bar@foo-bar.local
>   Full-SHA256: 2da2c0088c380f4cc5bf7bfdc75cb02b67ff806b712c42ea325ca33dffa57a7f
>   Message-SHA256: 31838769c24277114191c9595fe5ffc619a22f892a23c6812d090d2cac13e1dc
>   Patch-SHA256: 3ea940267d098d3e4d87d5475403197006956ea9fcbb9d84f37aa804c6cd8943
>   -----BEGIN PGP SIGNATURE-----
> 
>   iHUEARYIAB0WIQR2vl2yUnHhSB5njDW2xBzjVmSZbAUCXj22ZAAKCRC2xBzjVmSZ
>   ....
>   0SJaB7csojQUzZBzX1Ntx9F+OzNy8gY=
>   =lvaU
>   -----END PGP SIGNATURE-----
> 
> Full-SHA256 contains verbatim contents of master:m, while 
> Message/Patch-SHA256 contains the "msg" and "patch" output of "git 
> mailinfo". Separating it this way would allow someone to verify the 
> contents of a message even if it has been modified to remove headers or 
> mime-parts, e.g. for the purposes of creating a "git am" friendly mbox 
> file.

I'm not sure if Full-SHA256 is worthwhile.  Message-SHA256 could
include From/Date/Subject (e.g. the stdout of git-mailinfo) and
that'd be all the info necessary.

If anything, the git blob OID should be there instead of
Full-SHA256.  Having the git blob OID would make verifying the
full history of signatures possible w/o having to build a
Message-ID-based indexer (but they'd still need a full clone).

> The alternative is making these notes on the commits, but I believe that 
> has important scaling impacts.

git's also looking to get reftable support to make notes more
scalable, but a bunch of similar proposals haven't worked out
over the years, so far...  But notes would also interact badly
with -edit and -purge rewriting history.

> What do you think?

Seems doable, but then again hardly any kernel developers sign
stuff.  Maybe improving UI/UX can change that, I don't know...

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-07 19:48 Attestation signatures in a separate ref Konstantin Ryabitsev
2020-02-08  0:49 ` Eric Wong

user/dev discussion of public-inbox itself

Archives are clonable:
	git clone --mirror https://public-inbox.org/meta
	git clone --mirror http://czquwvybam4bgbro.onion/meta
	git clone --mirror http://hjrcffqmbrq6wope.onion/meta
	git clone --mirror http://ou63pmih66umazou.onion/meta

Example config snippet for mirrors

Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.mail.public-inbox.meta
	nntp://ou63pmih66umazou.onion/inbox.comp.mail.public-inbox.meta
	nntp://czquwvybam4bgbro.onion/inbox.comp.mail.public-inbox.meta
	nntp://hjrcffqmbrq6wope.onion/inbox.comp.mail.public-inbox.meta
	nntp://news.gmane.io/gmane.mail.public-inbox.general

 note: .onion URLs require Tor: https://www.torproject.org/

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git