A tool to sign arbitrary objects in a git repository.
Signing keys can be generated with signify,
from the OpenBSD project.
$ signify -G -p newkey.pub -s newkey.sec
If you do not wish to encrypt your keys, pass the -n flag to the
command line of signify.
This program keeps track of signatures made by a keypair with a given fingerprint as git references. References can be fetched from and pushed to a remote.
$ git signify pull origin
$ git signify push origin
Verification can be done with git signify verify. For example, to
verify a release of git-signify itself:
$ git pull --tags
$ git signify pull
$ git signify verify -k <(curl -sfL https://gandas.us.to/keys/git.pub) v0.3.0
To sign git revisions, run something akin to:
$ git signify sign -k <secret-key> v0.3.0
git-signify writes a tree object to some git repository containing the
following blobs:
100644 blob aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa object
100644 blob bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb signature
Where object stores the raw (20 byte) object id of some git object
to be signed, and signature stores the signature over object. The
tree's hash is returned by git signify raw sign.
To store signatures in tags, one must use the "raw" mode of git-signify.
The raw flags supported by this program and their respective documentation
can be checked by running the following commands:
$ git signify raw -h
$ git signify raw sign -h
$ git signify raw verify -h
The suggested approach to store signatures in tags is the following:
$ SIGNATURE_TREE=$(git signify raw sign -k $SECRET_KEY $OBJECT_TO_SIGN)
$ SIGNATURE_COMMIT=$(git commit-tree $SIGNATURE_TREE -m Signature)
$ git tag signature-$OBJECT_TO_SIGN $SIGNATURE_COMMIT
$ git push --tags
Verification can then be done with:
$ git signify raw verify -p -k $PUBLIC_KEY $SIGNATURE_COMMIT^{tree}