Lance R. Vick 03bbbcc350 Drop 'fetch', add 'pull', support custom gpg binaries via env. | před 1 rokem | |
---|---|---|
.sig | před 3 roky | |
test | před 1 rokem | |
.gitignore | před 3 roky | |
.gitlab-ci.yml | před 3 roky | |
LICENSE.md | před 3 roky | |
Makefile | před 3 roky | |
README.md | před 1 rokem | |
git-sig | před 1 rokem |
The simple multisig toolchain for git repos.
Clone
git clone https://codeberg.org/distrust/git-sig.git
Review source code and signatures manually
Using git-sig
to verify the signatures of git-sig
itself is not
recommended as it could simply lie to you.
Consider using the following one liner which is much faster to review:
git fetch origin refs/notes/signatures:refs/notes/signatures
while read -r line; do \
gpg --verify \
<(printf "$line" | sed 's/.*pgp://g'| openssl base64 -d -A) \
<(printf "$line" | sed 's/pgp:.*/pgp/g'); \
done < <(git notes --ref=signatures show)
Copy to $PATH
cp git-sig ~/.local/bin/
git sig add [-m,--method=<note|tag>] [-p,--push]
Add signature for this repository
git sig remove
Remove all signatures on current ref
git sig verify [-g,--group=<group>] [-t,--threshold=<N>] [d,--diff=<branch>]
Verify m-of-n signatures by given group are present for directory.
git sig push [-r,--remote=<remote>]
Push all signatures on current ref
git sig fetch [-g,--group=<group>]
Fetch key by fingerprint. Optionally add to group.
git sig help
Show this text.
git sig version
Show version information.
git sig verify
git sig verify --threshold 2
git sig verify --threshold 3 --group myteam
git sig verify --threshold 2 --diff
git sig add
Because it is easy to quickly verify at any time, has wide OS compatibility and the majority of the needed operations are calling other programs already on most systems like gpg and openssl.
If this were in another language it would be harder to audit on the fly, would require the user to have a specific language toolchain installed, and it would still mostly just be a bunch of shell executions to call system binaries anyway.
In spite of many popular claims to the contrary, PGP is still the most well supported protocol for distribution, verification, and signing for keys held by individual humans. It is also the only protocol with wide HSM support allowing you to keep keys out of system memory and require physical approval for each operation. E.G a trezor, ledger, yubikey, etc.
Admittedly the GnuPG codebase itself is a buggy dated mess, but PGP as a spec is still Pretty Good for many use cases. A recent modern rewrite by a number of former GnuPG team members is near complete and set to give PGP a long and stable future.
Notary is very well designed and well supports many HSMs.
It may be worth supporting as an alternate method in the future if m-of-n multisig is ever implemented as a part of the TUF specification which has been on their TODO list for a few years now.
It has the very desirable feature of conditionally expiring signatures which no other solution has at the time of this writing, which comes from it being purpose built for software signing concerns.
See: The Update Framework
Openssl has HSM support via OpenSC that is fairly well supported via PKSC#11.
Contributions suggesting this an alterantive backend to OpenPGP are welcome, however they would have to also come with methods for key discovery and pinned key groups via configuration files of some kind.
PGP gives us these features almost for free.
These alternatives have poor if any support for HSM workflows and thus put private keys at too much risk of theft or loss to recommend for general use at this time.
That said, verifying folders/repos that use these methods is certianly of value and contributions to support doing this on systems where those tools are available are welcome.