This repo includes extensions and workflow examples for being able to attach an arbitrary number of GPG signatures to a given commit or tag.
Git already supports commit signing. These tools are intended to compliment that support by allowing a code reviewer and/or release engineer attach their signatures as well.
A CI or build system that enforces m-of-n signature verification on git tags to be released offers strong protection against tampering of the repository by a single bad actor or compromised system.
This approach builds entirely on the git-notes interface which allows the attachment of arbitrary data to an existing commit.
- Git 2.1+
- GnuPG 2.2+
Since the built in getopt and date binaries are not compatible with this script, you must install some GNU compatible binaries (homebrew recommended).
- gnu-getopt
brew install gnu-getopt
ln -s $(brew --prefix gnu-getopt)/bin/getopt /usr/local/bin/gnu-getopt
- coreutils
brew install coreutils
Make sure that the gnu-getopt
, gdate
, and gshuf
binaries are in your $PATH.
You need only place bin/git-signatures anywhere in your $PATH.
By default you can install it to $HOME/.local/bin with:
make install
git signatures pull
git signatures add v1.0.0
git signatures push
git signatures add --push v1.0.0
Will return the public key IDs of verified signers:
git signatures verify v1.0.0
Verify m-of-n requirement met against default gpg trustdb. Will return 0 only if conditions met.
git signatures verify --min-count 2 v1.0.0
git signatures verify --trustdb dev-team.db --min-count 2 v1.0.0
git signatures verify --trustdb release-team.db --min-count 1 v1.0.0
git-signatures is only a very simple set of wrappers to offer a shorthand for git/gpg manipulations.
Signatures are just base64 encoded results of GPG signing a given git hash. They are appended in the git-notes interface at refs/signatures.
These methods were chosen to make this setup easy to reason about and review.
A manual signing could be performed as:
git rev-parse HEAD | gpg --sign | base64 -w0 | \
git notes --ref refs/signatures append --file=-
git push origin refs/signatures
A manual verification could be performed as:
git fetch origin refs/signatures
git notes merge -s cat_sort_uniq origin/refs/signatures
git notes --ref refs/signatures show | \
xargs -L1 -I {} sh -c "echo {} | base64 -d | gpg -d"
Use at your own risk. You may be eaten by a grue.
Questions/Comments?
- IRC: lrvick@irc.freenode.net/6697
- Matrix: @lrvick:matrix.org
- Email: lance@lrvick.net