update readme to reflect current operation

This commit is contained in:
Lance Vick 2023-01-19 14:03:41 -08:00
parent 8f068ed016
commit 043be12bab
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
1 changed files with 22 additions and 54 deletions

View File

@ -21,30 +21,20 @@ The simple GPG signature toolchain for directories or git repos.
git clone git@gitlab.com/pchq/sig.git sig git clone git@gitlab.com/pchq/sig.git sig
``` ```
2. Manually generate manifest 2. Review source code and signatures manually
Using sig to verify the signatures of sig itself is not recommended.
Consider using the following one liner which is much faster to review:
``` ```
git ls-files \ while read -r line; do \
| grep -v .sig \ gpg --verify \
| xargs openssl sha256 -r \ <(printf $line | sed 's/.*pgp://g'| openssl base64 -d -A) \
| sed -e 's/ \*/ /g' -e 's/ \.\// /g' <(printf $line | sed 's/pgp:.*/pgp/g'); \
done < <(git notes --ref=signatures show)
``` ```
3. Manually verify manifest 3. Copy to $PATH
```
for file in .sig/*.asc; do gpg --verify $file .sig/manifest.txt; done
git log --show-signature
less sig
```
4. Self verify
```
./sig verify --threshold 3
```
5. Copy to $PATH
``` ```
cp sig ~/.local/bin/ cp sig ~/.local/bin/
@ -52,12 +42,10 @@ The simple GPG signature toolchain for directories or git repos.
## Usage ## Usage
* sig verify [-g,--group=<group>] [-t,--threshold=<N>] [-m,--method=<git|detached> ] [-d,--diff=<branch>] * sig verify [-g,--group=<group>] [-t,--threshold=<N>] [-r,--ref=<ref> ] [-d,--diff=<branch>]
* Verify m-of-n signatures by given group are present for directory * Verify m-of-n signatures by given group are present for a git repo or ref
* sig add * sig add
* Add signature to manifest for this directory * Add signature to this git ref
* sig manifest
* Generate hash manifest for this directory
* sig fetch [-g,--group=<group>] * sig fetch [-g,--group=<group>]
* Fetch key by fingerprint. Optionally add to group. * Fetch key by fingerprint. Optionally add to group.
* sig help * sig help
@ -75,53 +63,33 @@ keys.
This counts the commit signature, and any number of signed tags pointing at This counts the commit signature, and any number of signed tags pointing at
this ref. this ref.
### Detached
This method verifies the state of this folder was signed exactly as-is by one
or more authors.
## Behavior
If 'threshold' is specified, then that number of signatures must be present.
If 'group' is specified, all signatures must be by keys that belong to a
defined gpg alias group.
### Assumptions ### Assumptions
- Single sig mode: Folder contents controlled by signer - Single sig mode: Repo contents controlled by signer
- Multi-sig mode: Folder contents verified by multiple signers - Multi-sig mode: Repo contents verified by multiple signers
- Multi-sig group mode: Folder contents approved by specified individuals - Multi-sig group mode: Repo contents approved by specified individuals
- Hashing scheme for respective backend is not broken - Hashing scheme for respective backend is not broken: (sha256)
- Git: sha1
- Detached: sha256
## Examples ## Examples
#### Verify 1 signature via Detached and Git methods #### Verify at least one signature is present with a known key
``` ```
sig verify sig verify
``` ```
#### Verify 2 unique signatures via Detached and Git methods #### Verify 2 unique signatures from known keys
``` ```
sig verify --threshold 2 sig verify --threshold 2
``` ```
#### Verify 3 unique signatures from specified signing group via Git method #### Verify 3 unique signatures from specified signing group
``` ```
sig verify --threshold 3 --group myteam --method git sig verify --threshold 3 --group myteam
``` ```
#### Verify 2 unique signatures via detached method and diff on failure #### Add signature
```
sig verify --threshold 2 --diff master --method detached
```
#### Add Detached Signature
``` ```
sig add sig add