Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • lxc-add-back-linuxcontainers
  • lxc-fix-fedora
  • lxc-maurer-fix-url
  • lxc-add-debian-kali-mauerrer
  • lxc
  • lxc-fix
  • lxc-add-hbs-mox
  • cleanup
  • alpine
  • update_images
  • dev-pepe
  • dev-miska
  • nethist
14 results
Compare History
user avatar
gpg: Jan Pavlinec - new key
Michal 'vorner' Vaner authored
4a4a8259
Name Last commit Last update
..
README
gen-gpg
gpg-refresh
signed_tip
trust.txt
trusted_keys.gpg
unsigned_detect.pl
README
Git GPG checkers
================

This directory contains a few tools to check signatures on git commits.

Setup
-----

All these tools use separate gnupg home with the trusted keys. They expect the
directory to be $HOME/.git-gpg. It may be possible (and better from security
point of view) if some of the files weren't writable by the current user, to
ensure malicious attacker can't add another key into the keyring.

Also, to make tampering by the current user slightly harder, it may be
desirable to make the scripts unwritable by the user as well. But it is
questionable if this adds any level of security, or if the attacker could
disable the check completely when already in the position to tamper with local
files.

It is important to check the gpg -k *every time* the .git-gpg directory is
updated (so an attacker couldn't sneak a key into the git repository and wait
for it to be installed by accident).

Unsigned detector
-----------------

The `unsigned_detect.pl` tool is meant to be run periodically (for example
after each push). It goes through the repository it is run in and reports any
new commits from listed email addresses that are not signed by a trusted key.
If any such commits are found, it signals this by terminating with exit code 1.

Signed tip
----------

This script simply terminates successfully if the tip of the current branch is
signed by a trusted key and fails if it is not. It is expected to be run before
any code from any repository is used.

gen-gpg
-------

This is a maintainance script. It imports the keys and trust settings from
files in this directory (trusted_keys.gpg and trust.txt) and creates the
$HOME/.git-gpg.

gpg-refresh
-----------

Refresh keys from a keyserver. This will import any revocations or possible new
signatures on the keys. It is recommended to put into a cron script.

Adding a new key
----------------

On some desktop:

  export GNUPGHOME=$HOME/.git-gpg
  ./gen-gpg
  gpg --recv-keys <THE_KEY> # Hopefully already signed by other trusted key.
  gpg --export --armor >trusted_keys.gpg
  # If the key wasn't trusted and should be, set trust by gpg --edit-key <THE_KEY> and then:
  gpg --export-ownertrust >trust.txt
  export GNUPGHOME=
  git commit -a
  git push

On each and every of the build machines (as the user `beast`):

  cd misc
  git pull
  git show # Check the git hash matches the one on the desktop
  ./gen-gpg