Random Thoughts (Posts about git)https://carreau.github.io/enWed, 27 Oct 2021 20:18:00 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssSign commits on GitHubhttps://carreau.github.io/posts/33-sign-commits-on-github.md/Matthias Bussonnier<div><h2>Signing Commit on Tags on GitHub</h2> <p>I've recently set-up <a href="https://keybase.io/">keybase</a> and integrated my public key with git to be able to sign commits.</p> <p>I decided to not automatically sign, as auto-signing would allow any attacker that takes control of my machine to create signed commit. The git <a href="https://en.wikipedia.org/wiki/Merkle_tree">Merkle tree</a> of git still insure repos are not tampered with, as long as you issue <code>$ git fsck --full</code> on a repo or <code>$ git config --global transfer.fsckobjects true</code> once and forget it.</p> <p>Using <code>$ git log --show-signatur</code> you can now check that commits (and tags) are correctly signed. Be careful though, correct signature does not mean trusted, and if you have a PGP key set; GitHub will helpfully signed the commit you make on their platform with <strong>their key</strong>. </p> <pre class="code literal-block"><span></span><code><span class="o">*</span><span class="w"> </span><span class="k">commit</span><span class="w"> </span><span class="mi">5</span><span class="n">ced6c6936563fea7ba7efccecbc4248d84cfabb</span><span class="w"> </span><span class="p">(</span><span class="nl">tag</span><span class="p">:</span><span class="w"> </span><span class="mf">5.2.1</span><span class="p">,</span><span class="w"> </span><span class="n">origin</span><span class="o">/</span><span class="mf">5.2</span><span class="p">.</span><span class="n">x</span><span class="p">,</span><span class="w"> </span><span class="mf">5.2</span><span class="p">.</span><span class="n">x</span><span class="p">)</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="n">Signature</span><span class="w"> </span><span class="n">made</span><span class="w"> </span><span class="n">Tue</span><span class="w"> </span><span class="n">Jan</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="mi">19</span><span class="err">:</span><span class="mi">51</span><span class="err">:</span><span class="mi">17</span><span class="w"> </span><span class="mi">2018</span><span class="w"> </span><span class="n">CET</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="k">using</span><span class="w"> </span><span class="n">RSA</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="mi">99</span><span class="n">B17F64FD5C94692E9EF8064968B2CC0208DCC8</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="n">Good</span><span class="w"> </span><span class="n">signature</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="ss">"Matthias Bussonnier &lt;bussonniermatthias@gmail.com&gt;"</span><span class="w"> </span><span class="o">[</span><span class="n">ultimate</span><span class="o">]</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="nl">Author</span><span class="p">:</span><span class="w"> </span><span class="n">Matthias</span><span class="w"> </span><span class="n">Bussonnier</span><span class="w"> </span><span class="o">&lt;</span><span class="n">bussonniermatthias</span><span class="nv">@gmail</span><span class="p">.</span><span class="n">com</span><span class="o">&gt;</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="nc">Date</span><span class="err">:</span><span class="w"> </span><span class="n">Tue</span><span class="w"> </span><span class="n">Jan</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="mi">19</span><span class="err">:</span><span class="mi">49</span><span class="err">:</span><span class="mi">34</span><span class="w"> </span><span class="mi">2018</span><span class="w"> </span><span class="o">+</span><span class="mi">0100</span><span class="w"></span> <span class="o">|</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="n">Bump</span><span class="w"> </span><span class="n">version</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="mf">5.2.1</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">release</span><span class="w"></span> <span class="o">|</span><span class="w"></span> <span class="o">*</span><span class="w"> </span><span class="k">commit</span><span class="w"> </span><span class="mi">5</span><span class="n">a28fb0a121c286e35db309fe11b53693969b2d6</span><span class="w"></span> <span class="o">|</span><span class="err">\</span><span class="w"> </span><span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="n">Signature</span><span class="w"> </span><span class="n">made</span><span class="w"> </span><span class="n">Tue</span><span class="w"> </span><span class="n">Jan</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="mi">13</span><span class="err">:</span><span class="mi">58</span><span class="err">:</span><span class="mi">08</span><span class="w"> </span><span class="mi">2018</span><span class="w"> </span><span class="n">CET</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="k">using</span><span class="w"> </span><span class="n">RSA</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="mi">4</span><span class="n">AEE18F83AFDEB23</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="n">Good</span><span class="w"> </span><span class="n">signature</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="ss">"GitHub (web-flow commit signing) &lt;noreply@github.com&gt;"</span><span class="w"> </span><span class="o">[</span><span class="n">unknown</span><span class="o">]</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="nl">WARNING</span><span class="p">:</span><span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">certified</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">trusted</span><span class="w"> </span><span class="n">signature</span><span class="err">!</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="n">There</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="k">no</span><span class="w"> </span><span class="n">indication</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">signature</span><span class="w"> </span><span class="n">belongs</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">owner</span><span class="p">.</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="k">Primary</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="nl">fingerprint</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="n">DE3</span><span class="w"> </span><span class="n">E050</span><span class="w"> </span><span class="mi">9</span><span class="n">C47</span><span class="w"> </span><span class="n">EA3C</span><span class="w"> </span><span class="n">F04A</span><span class="w"> </span><span class="mi">42</span><span class="n">D3</span><span class="w"> </span><span class="mi">4</span><span class="n">AEE</span><span class="w"> </span><span class="mi">18</span><span class="n">F8</span><span class="w"> </span><span class="mi">3</span><span class="n">AFD</span><span class="w"> </span><span class="n">EB23</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="k">Merge</span><span class="err">:</span><span class="w"> </span><span class="mi">3</span><span class="n">fd21bc</span><span class="w"> </span><span class="mi">065</span><span class="n">a16a</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nl">Author</span><span class="p">:</span><span class="w"> </span><span class="nf">Min</span><span class="w"> </span><span class="n">RK</span><span class="w"> </span><span class="o">&lt;</span><span class="n">benjaminrk</span><span class="nv">@gmail</span><span class="p">.</span><span class="n">com</span><span class="o">&gt;</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nc">Date</span><span class="err">:</span><span class="w"> </span><span class="n">Tue</span><span class="w"> </span><span class="n">Jan</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="mi">13</span><span class="err">:</span><span class="mi">58</span><span class="err">:</span><span class="mi">08</span><span class="w"> </span><span class="mi">2018</span><span class="w"> </span><span class="o">+</span><span class="mi">0100</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="k">Merge</span><span class="w"> </span><span class="n">pull</span><span class="w"> </span><span class="n">request</span><span class="w"> </span><span class="n">#326</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">jupyter</span><span class="o">/</span><span class="n">auto</span><span class="o">-</span><span class="n">backport</span><span class="o">-</span><span class="k">of</span><span class="o">-</span><span class="n">pr</span><span class="o">-</span><span class="mi">325</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Backport</span><span class="w"> </span><span class="n">PR</span><span class="w"> </span><span class="n">#325</span><span class="w"> </span><span class="k">on</span><span class="w"> </span><span class="n">branch</span><span class="w"> </span><span class="mf">5.2</span><span class="p">.</span><span class="n">x</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="o">|</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">commit</span><span class="w"> </span><span class="mi">065</span><span class="n">a16aad2e84d506b36bb2c874a7c287c53c61f</span><span class="w"> </span><span class="p">(</span><span class="n">origin</span><span class="o">/</span><span class="n">pr</span><span class="o">/</span><span class="mi">326</span><span class="p">)</span><span class="w"></span> <span class="o">|/</span><span class="w"> </span><span class="nl">Author</span><span class="p">:</span><span class="w"> </span><span class="nf">Min</span><span class="w"> </span><span class="n">RK</span><span class="w"> </span><span class="o">&lt;</span><span class="n">benjaminrk</span><span class="nv">@gmail</span><span class="p">.</span><span class="n">com</span><span class="o">&gt;</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="nc">Date</span><span class="err">:</span><span class="w"> </span><span class="n">Tue</span><span class="w"> </span><span class="n">Jan</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="mi">10</span><span class="err">:</span><span class="mi">57</span><span class="err">:</span><span class="mi">13</span><span class="w"> </span><span class="mi">2018</span><span class="w"> </span><span class="o">+</span><span class="mi">0100</span><span class="w"></span> <span class="o">|</span><span class="w"></span> <span class="o">|</span><span class="w"> </span><span class="n">Backport</span><span class="w"> </span><span class="n">PR</span><span class="w"> </span><span class="n">#325</span><span class="err">:</span><span class="w"> </span><span class="n">Parenthesize</span><span class="w"> </span><span class="n">conditional</span><span class="w"> </span><span class="n">requirement</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">setup</span><span class="p">.</span><span class="n">py</span><span class="w"></span> </code></pre> <p>So in the previous block, you can see that <code>5ced6c6...</code> have been done <strong>and signed</strong> by me, while <code>5a28fb0...</code> has be allegedly done by Min, <em>but</em> signed by GitHub.</p> <p>By default you do not have GitHub Signature locally, so the GitHub Signed commits can appear as unverified. </p> <p>To do so fetch the GitHub Key:</p> <pre class="code literal-block"><span></span><code>$ gpg --keyserver hkp://keys.gnupg.net --recv-keys 4AEE18F83AFDEB23 </code></pre> <p>Where <code>4AEE18F83AFDEB23</code> is the key you do not have locally. And remember Valid Signature, does not mean trusted.</p> <h3>verifying Tags</h3> <p>Tags can be signed, and need to be checked <strong>independently of commits</strong> :</p> <pre class="code literal-block"><span></span><code><span class="err">$</span><span class="w"> </span><span class="n">git</span><span class="w"> </span><span class="n">tag</span><span class="w"> </span><span class="o">--</span><span class="n">verify</span><span class="w"> </span><span class="mf">5.2.1</span><span class="w"></span> <span class="k">object</span><span class="w"> </span><span class="mi">5</span><span class="n">ced6c6936563fea7ba7efccecbc4248d84cfabb</span><span class="w"></span> <span class="n">type</span><span class="w"> </span><span class="k">commit</span><span class="w"></span> <span class="n">tag</span><span class="w"> </span><span class="mf">5.2.1</span><span class="w"></span> <span class="n">tagger</span><span class="w"> </span><span class="n">Matthias</span><span class="w"> </span><span class="n">Bussonnier</span><span class="w"> </span><span class="o">&lt;</span><span class="n">bussonniermatthias</span><span class="nv">@gmail</span><span class="p">.</span><span class="n">com</span><span class="o">&gt;</span><span class="w"> </span><span class="mi">1514919438</span><span class="w"> </span><span class="o">+</span><span class="mi">0100</span><span class="w"></span> <span class="k">release</span><span class="w"> </span><span class="n">version</span><span class="w"> </span><span class="mf">5.2.1</span><span class="w"></span> <span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="n">Signature</span><span class="w"> </span><span class="n">made</span><span class="w"> </span><span class="n">Tue</span><span class="w"> </span><span class="n">Jan</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="mi">19</span><span class="err">:</span><span class="mi">57</span><span class="err">:</span><span class="mi">18</span><span class="w"> </span><span class="mi">2018</span><span class="w"> </span><span class="n">CET</span><span class="w"></span> <span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="k">using</span><span class="w"> </span><span class="n">RSA</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="mi">99</span><span class="n">B17F64FD5C94692E9EF8064968B2CC0208DCC8</span><span class="w"></span> <span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="n">Good</span><span class="w"> </span><span class="n">signature</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="ss">"Matthias Bussonnier &lt;bussonniermatthias@gmail.com&gt;"</span><span class="w"> </span><span class="o">[</span><span class="n">ultimate</span><span class="o">]</span><span class="w"></span> </code></pre> <p>So you can check that <em>I</em> tagged this commit.</p> <h3>learn more</h3> <p>As usual the <a href="https://git-scm.com/book/id/v2/Git-Tools-Signing-Your-Work">git documentation</a> has more to say about this. And signing is not really useful without checking the integrity of Git history, so please set <code>$ git config --global transfer.fsckobjects true</code> as well !</p></div> </body></html> gitgithubpgphttps://carreau.github.io/posts/33-sign-commits-on-github.md/Sun, 07 Jan 2018 13:30:00 GMT