public
/
git-sig
5
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add README

This commit is contained in:
Lance Vick 2020-11-16 04:21:30 -08:00
parent 4e2f70af46
commit 316552e417
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
4 changed files with 115 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
.sig/manifest.8E47A1EC35A1551D.asc
View File

@ -1,16 +1,16 @@
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+yZBsACgkQjkeh7DWh iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+ybrMACgkQjkeh7DWh
VR2DqA/9FIc1IgqyiwL3+kA5SnfHDC73WdKLP0g2SZbdwxhlW4ZZCgiEKBRcUZte VR2SLQ/9GvI+oEB6ZbnI0MZNGbei5mpZoqkXrLS53rWF23/W+1ZqZpUjj7dFGHNx
4fVop+fR9GNEZmqNlUHUe4ijBnpcW+xgAu2EenGxdmDjQitnMs8ujnbRMp1ug1QE BIHmYMFZV4BYmMzw9UUyzX0X3lHpV41GSKV27NC3ngQGE0YJNRWjqYdcCdHE5gwN
Qj9yDiDmOuOHAfuv3s2z/Vx2XFunn/XxE5vzgkzwb99LxcafOC+zyNzKfc3hpZ5W y6r3IA4ANzuC44sCcFTDh9yaEt7fTnfDL1BqvppX1DOzUukPnbNxJ21elLM9FDEZ
YjP7KI/q6w7QFN6qRjoRvbYKQjXuMENkt1NR7fKFXnnFPWq58tWtcjM5DP89p9wD M3EEwQJ6NwGOC17PmCD28/rwVZNjUe2LYkMQEDHd1+2ssC1g1kMOee7EdQG56/Zh
HOmEMSWwQlmSB7tIvoqshpLGYVyjLHCADIwsXutoSl0XPOgvtAkm/DO5ud8sWIgh 1gs3eB5eBHhAmBBmx/mRUT8BiBYv7dKyzGSvC366afPrkBDXalAn9RQUU10sZFf6
NM0eruBqz9tVc0mUyrm6UXRLIfbnGBtOp6zqGPHLwdxPLYsVg+9VG7/XiHkILjHP P55wYDBrXu2aEKJ5n8AdTpiHUZ5zRwaSU1hPwXLZuhAFeZovSHT6LbFs4z2YLe0H
rEJQrWnbg1vfmfHrLK6qc6rZjlxTmmk+ZN5JwZwLbBjCn4oGO7sjIQNjTD2F8VeA wWT5aRJ3rp5C3kA3LMJvO/mHmGYoyTzvlMBcgB2E3gKuUVg1yg0vc/af5H29wyEx
p8O7p9GZCej4aS9j14RHMd/j7kLFHA0Kffu6D4djfXyZmV8aK9fdMZ6bZowHRxud 1CylAtWIgAQz9t+kybG1QWq5qfnVLN5M37I6mjXUhmrfiC26S25k8wdDt/CQvf4e
66/XdI/jLJsjt/oYMPMaoez9htD31XYOLBXf7BuX+8xjBpw2J9dKLXs5XOJQ1VGC J+yMeKsRDg1XaImH34cQpbD0ycLMfr8KZmLJHmiXoDn8ViELFqoa81UlvwXmKDOC
UM8JgzROwWcDHaJxw5hwwJIDDYE50nnndJRMCKr6ElnYq29KEY87b3R/21F8CXgH C0hjnDvgNgHV75iDTKFMXZjfRwe5y1ZXeRLRaUyysZt3MlUTCyMvkysWdbiqyv+G
Bh+LBgH7NMpg4x8zkTFdZwsAYMCsiHzkFOisDG2IKjoq7NkAXGU= 7rO3OKYwXun3HBQpwwFU0ZEBgcY1rHnzVwQoGz8vnkawGIp5fXQ=
=0W8T =opFX
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

2
.sig/manifest.txt
View File

@ -1,2 +1,2 @@
64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore 64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore
03bc3d3bbd3a4831a7d8b05c42fa1404c6672a15f7d749765a96bb725c1a4752 sig b470a31ed13fb1177a0ffae1872f3e24f9aa8292090f4d838ad2a4bc639f8404 sig

99
README.md Normal file
View File

@ -0,0 +1,99 @@
# Sig #
The simple GPG signature toolchain for directories or git repos.
## Features
* Generate sha256 manifest for all files in directory
* Use git for listing if available
* Add detached signatures to manifest
* Verify manifest has a minimum threshold of unique detached signatures
* Verify git history contains a minimum threshold of unique commit siguatures
* Verify signatures belong to a defined GPG alias group
## Install
1. Clone
```
git clone git@gitlab.com/pchq/sig.git sig
```
2. Manually verify
```
for file in .sig/*.asc; do gpg --verify $file .sig/manifest.txt; done
gpg log --show-signature
less sig
```
3. Self verify
```
./sig verify --threshold 3
```
4. Copy to $PATH
```
cp sig ~/.local/bin/
```
## Methods
### Git
This method verifies a git repo contains signed commits by one or more authors.
If 'threshold' is specified, it searches history until enough unique signatures
are found to satisify the threshold, ensuring all commits between are signed.
If 'group' is specified, all signatures must be by keys that belong to a
defined gpg alias group.
Note: this only proves the history had multiple participants, but not that
the current HEAD was verified by all participants.
#### Assumptions
- Single sig mode: Repo HEAD controlled by signer
- Multi-sig mode: Repo has contributions from multiple individuals
- Multi-sig group mode: Repo has contributions from specified individuals
- Sha1 is not broken
### Detached
This method verifies the state of this folder was signed exactly as-is by one
or more authors.
If 'threshold' is specified, then that number of signatures must be present.
If 'group' is specified, all signatures must be by keys that belong to a
defined gpg alias group.
#### Assumptions
- Single sig mode: Folder contents controlled by signer
- Multi-sig mode: Folder contents verified by multiple signers
- Multi-sig group mode: Folder contents approved by specified individuals
- Sha256 is not broken
## Usage
### Verify 1 signature via Detached and Git methods
```
sig verify
```
### Verify 2 unique signatures via Detached and Git methods
```
sig verify --threshold 2
```
### Verify 3 unique signatures from specified signing group via Git method
```
sig verify --threshold 2 --group myteam --method git
```
### Add Detached Signature
```
sig add
```

2
sig
View File

@ -110,6 +110,7 @@ get_files(){
fi fi
} }
### Get signer name/email from key fingerprint
get_signer(){ get_signer(){
local fingerprint="${1?}" local fingerprint="${1?}"
gpg \ gpg \
@ -177,6 +178,7 @@ verify_git(){
local sig_count=0 local sig_count=0
local seen_fingerprints="" local seen_fingerprints=""
local depth=0 local depth=0
#TODO: implement group validation
while [[ $depth != "$(git rev-list --count HEAD)" ]]; do while [[ $depth != "$(git rev-list --count HEAD)" ]]; do
ref=HEAD~${depth} ref=HEAD~${depth}