update readme to reflect current operation

This commit is contained in:
Lance Vick 2023-01-19 14:03:41 -08:00
parent 8f068ed016
commit 043be12bab
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
1 changed files with 22 additions and 54 deletions

View File

@ -21,30 +21,20 @@ The simple GPG signature toolchain for directories or git repos.
git clone git@gitlab.com/pchq/sig.git sig
```
2. Manually generate manifest
2. Review source code and signatures manually
Using sig to verify the signatures of sig itself is not recommended.
Consider using the following one liner which is much faster to review:
```
git ls-files \
| grep -v .sig \
| xargs openssl sha256 -r \
| sed -e 's/ \*/ /g' -e 's/ \.\// /g'
while read -r line; do \
gpg --verify \
<(printf $line | sed 's/.*pgp://g'| openssl base64 -d -A) \
<(printf $line | sed 's/pgp:.*/pgp/g'); \
done < <(git notes --ref=signatures show)
```
3. Manually verify manifest
```
for file in .sig/*.asc; do gpg --verify $file .sig/manifest.txt; done
git log --show-signature
less sig
```
4. Self verify
```
./sig verify --threshold 3
```
5. Copy to $PATH
3. Copy to $PATH
```
cp sig ~/.local/bin/
@ -52,12 +42,10 @@ The simple GPG signature toolchain for directories or git repos.
## Usage
* sig verify [-g,--group=<group>] [-t,--threshold=<N>] [-m,--method=<git|detached> ] [-d,--diff=<branch>]
* Verify m-of-n signatures by given group are present for directory
* sig verify [-g,--group=<group>] [-t,--threshold=<N>] [-r,--ref=<ref> ] [-d,--diff=<branch>]
* Verify m-of-n signatures by given group are present for a git repo or ref
* sig add
* Add signature to manifest for this directory
* sig manifest
* Generate hash manifest for this directory
* Add signature to this git ref
* sig fetch [-g,--group=<group>]
* Fetch key by fingerprint. Optionally add to group.
* sig help
@ -75,53 +63,33 @@ keys.
This counts the commit signature, and any number of signed tags pointing at
this ref.
### Detached
This method verifies the state of this folder was signed exactly as-is by one
or more authors.
## Behavior
If 'threshold' is specified, then that number of signatures must be present.
If 'group' is specified, all signatures must be by keys that belong to a
defined gpg alias group.
### Assumptions
- Single sig mode: Folder contents controlled by signer
- Multi-sig mode: Folder contents verified by multiple signers
- Multi-sig group mode: Folder contents approved by specified individuals
- Hashing scheme for respective backend is not broken
- Git: sha1
- Detached: sha256
- Single sig mode: Repo contents controlled by signer
- Multi-sig mode: Repo contents verified by multiple signers
- Multi-sig group mode: Repo contents approved by specified individuals
- Hashing scheme for respective backend is not broken: (sha256)
## Examples
#### Verify 1 signature via Detached and Git methods
#### Verify at least one signature is present with a known key
```
sig verify
```
#### Verify 2 unique signatures via Detached and Git methods
#### Verify 2 unique signatures from known keys
```
sig verify --threshold 2
```
#### Verify 3 unique signatures from specified signing group via Git method
#### Verify 3 unique signatures from specified signing group
```
sig verify --threshold 3 --group myteam --method git
sig verify --threshold 3 --group myteam
```
#### Verify 2 unique signatures via detached method and diff on failure
```
sig verify --threshold 2 --diff master --method detached
```
#### Add Detached Signature
#### Add signature
```
sig add