Skip to content

Harness the power of signify(1) to sign arbitrary git objects

License

Notifications You must be signed in to change notification settings

sug0/git-signify

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

40 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

git-signify

A tool to sign arbitrary objects in a git repository.

Generating keys

Signing keys can be generated with signify, from the OpenBSD project.

$ signify -G -p newkey.pub -s newkey.sec

If you do not wish to encrypt your keys, pass the -n flag to the command line of signify.

Basic usage

This program keeps track of signatures made by a keypair with a given fingerprint as git references. References can be fetched from and pushed to a remote.

$ git signify pull origin
$ git signify push origin

Verification can be done with git signify verify. For example, to verify a release of git-signify itself:

$ git pull --tags
$ git signify pull
$ git signify verify -k <(curl -sfL https://gandas.us.to/keys/git.pub) v0.3.0

To sign git revisions, run something akin to:

$ git signify sign -k <secret-key> v0.3.0

In-depth

Brief overview of how this program works

git-signify writes a tree object to some git repository containing the following blobs:

100644 blob aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa	object
100644 blob bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb	signature

Where object stores the raw (20 byte) object id of some git object to be signed, and signature stores the signature over object. The tree's hash is returned by git signify raw sign.

Storing signatures in tags

To store signatures in tags, one must use the "raw" mode of git-signify. The raw flags supported by this program and their respective documentation can be checked by running the following commands:

$ git signify raw -h
$ git signify raw sign -h
$ git signify raw verify -h

The suggested approach to store signatures in tags is the following:

$ SIGNATURE_TREE=$(git signify raw sign -k $SECRET_KEY $OBJECT_TO_SIGN)
$ SIGNATURE_COMMIT=$(git commit-tree $SIGNATURE_TREE -m Signature)
$ git tag signature-$OBJECT_TO_SIGN $SIGNATURE_COMMIT
$ git push --tags

Verification can then be done with:

$ git signify raw verify -p -k $PUBLIC_KEY $SIGNATURE_COMMIT^{tree}

About

Harness the power of signify(1) to sign arbitrary git objects

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages