add README
This commit is contained in:
parent
4e2f70af46
commit
316552e417
GPG Key ID:
8E47A1EC35A1551D
|
|
@ -1,16 +1,16 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+yZBsACgkQjkeh7DWh
|
||||
VR2DqA/9FIc1IgqyiwL3+kA5SnfHDC73WdKLP0g2SZbdwxhlW4ZZCgiEKBRcUZte
|
||||
4fVop+fR9GNEZmqNlUHUe4ijBnpcW+xgAu2EenGxdmDjQitnMs8ujnbRMp1ug1QE
|
||||
Qj9yDiDmOuOHAfuv3s2z/Vx2XFunn/XxE5vzgkzwb99LxcafOC+zyNzKfc3hpZ5W
|
||||
YjP7KI/q6w7QFN6qRjoRvbYKQjXuMENkt1NR7fKFXnnFPWq58tWtcjM5DP89p9wD
|
||||
HOmEMSWwQlmSB7tIvoqshpLGYVyjLHCADIwsXutoSl0XPOgvtAkm/DO5ud8sWIgh
|
||||
NM0eruBqz9tVc0mUyrm6UXRLIfbnGBtOp6zqGPHLwdxPLYsVg+9VG7/XiHkILjHP
|
||||
rEJQrWnbg1vfmfHrLK6qc6rZjlxTmmk+ZN5JwZwLbBjCn4oGO7sjIQNjTD2F8VeA
|
||||
p8O7p9GZCej4aS9j14RHMd/j7kLFHA0Kffu6D4djfXyZmV8aK9fdMZ6bZowHRxud
|
||||
66/XdI/jLJsjt/oYMPMaoez9htD31XYOLBXf7BuX+8xjBpw2J9dKLXs5XOJQ1VGC
|
||||
UM8JgzROwWcDHaJxw5hwwJIDDYE50nnndJRMCKr6ElnYq29KEY87b3R/21F8CXgH
|
||||
Bh+LBgH7NMpg4x8zkTFdZwsAYMCsiHzkFOisDG2IKjoq7NkAXGU=
|
||||
=0W8T
|
||||
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+ybrMACgkQjkeh7DWh
|
||||
VR2SLQ/9GvI+oEB6ZbnI0MZNGbei5mpZoqkXrLS53rWF23/W+1ZqZpUjj7dFGHNx
|
||||
BIHmYMFZV4BYmMzw9UUyzX0X3lHpV41GSKV27NC3ngQGE0YJNRWjqYdcCdHE5gwN
|
||||
y6r3IA4ANzuC44sCcFTDh9yaEt7fTnfDL1BqvppX1DOzUukPnbNxJ21elLM9FDEZ
|
||||
M3EEwQJ6NwGOC17PmCD28/rwVZNjUe2LYkMQEDHd1+2ssC1g1kMOee7EdQG56/Zh
|
||||
1gs3eB5eBHhAmBBmx/mRUT8BiBYv7dKyzGSvC366afPrkBDXalAn9RQUU10sZFf6
|
||||
P55wYDBrXu2aEKJ5n8AdTpiHUZ5zRwaSU1hPwXLZuhAFeZovSHT6LbFs4z2YLe0H
|
||||
wWT5aRJ3rp5C3kA3LMJvO/mHmGYoyTzvlMBcgB2E3gKuUVg1yg0vc/af5H29wyEx
|
||||
1CylAtWIgAQz9t+kybG1QWq5qfnVLN5M37I6mjXUhmrfiC26S25k8wdDt/CQvf4e
|
||||
J+yMeKsRDg1XaImH34cQpbD0ycLMfr8KZmLJHmiXoDn8ViELFqoa81UlvwXmKDOC
|
||||
C0hjnDvgNgHV75iDTKFMXZjfRwe5y1ZXeRLRaUyysZt3MlUTCyMvkysWdbiqyv+G
|
||||
7rO3OKYwXun3HBQpwwFU0ZEBgcY1rHnzVwQoGz8vnkawGIp5fXQ=
|
||||
=opFX
|
||||
-----END PGP SIGNATURE-----
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore
|
||||
03bc3d3bbd3a4831a7d8b05c42fa1404c6672a15f7d749765a96bb725c1a4752 sig
|
||||
b470a31ed13fb1177a0ffae1872f3e24f9aa8292090f4d838ad2a4bc639f8404 sig
|
||||
|
|
|
|||
|
|
@ -0,0 +1,99 @@
|
|||
# Sig #
|
||||
|
||||
The simple GPG signature toolchain for directories or git repos.
|
||||
|
||||
## Features
|
||||
|
||||
* Generate sha256 manifest for all files in directory
|
||||
* Use git for listing if available
|
||||
* Add detached signatures to manifest
|
||||
* Verify manifest has a minimum threshold of unique detached signatures
|
||||
* Verify git history contains a minimum threshold of unique commit siguatures
|
||||
* Verify signatures belong to a defined GPG alias group
|
||||
|
||||
## Install
|
||||
|
||||
1. Clone
|
||||
```
|
||||
git clone git@gitlab.com/pchq/sig.git sig
|
||||
```
|
||||
|
||||
2. Manually verify
|
||||
```
|
||||
for file in .sig/*.asc; do gpg --verify $file .sig/manifest.txt; done
|
||||
gpg log --show-signature
|
||||
less sig
|
||||
```
|
||||
|
||||
3. Self verify
|
||||
```
|
||||
./sig verify --threshold 3
|
||||
```
|
||||
|
||||
4. Copy to $PATH
|
||||
```
|
||||
cp sig ~/.local/bin/
|
||||
```
|
||||
|
||||
## Methods
|
||||
|
||||
### Git
|
||||
|
||||
This method verifies a git repo contains signed commits by one or more authors.
|
||||
|
||||
If 'threshold' is specified, it searches history until enough unique signatures
|
||||
are found to satisify the threshold, ensuring all commits between are signed.
|
||||
|
||||
If 'group' is specified, all signatures must be by keys that belong to a
|
||||
defined gpg alias group.
|
||||
|
||||
Note: this only proves the history had multiple participants, but not that
|
||||
the current HEAD was verified by all participants.
|
||||
|
||||
#### Assumptions
|
||||
- Single sig mode: Repo HEAD controlled by signer
|
||||
- Multi-sig mode: Repo has contributions from multiple individuals
|
||||
- Multi-sig group mode: Repo has contributions from specified individuals
|
||||
- Sha1 is not broken
|
||||
|
||||
### Detached
|
||||
|
||||
This method verifies the state of this folder was signed exactly as-is by one
|
||||
or more authors.
|
||||
|
||||
If 'threshold' is specified, then that number of signatures must be present.
|
||||
|
||||
If 'group' is specified, all signatures must be by keys that belong to a
|
||||
defined gpg alias group.
|
||||
|
||||
#### Assumptions
|
||||
- Single sig mode: Folder contents controlled by signer
|
||||
- Multi-sig mode: Folder contents verified by multiple signers
|
||||
- Multi-sig group mode: Folder contents approved by specified individuals
|
||||
- Sha256 is not broken
|
||||
|
||||
## Usage
|
||||
|
||||
### Verify 1 signature via Detached and Git methods
|
||||
|
||||
```
|
||||
sig verify
|
||||
```
|
||||
|
||||
### Verify 2 unique signatures via Detached and Git methods
|
||||
|
||||
```
|
||||
sig verify --threshold 2
|
||||
```
|
||||
|
||||
### Verify 3 unique signatures from specified signing group via Git method
|
||||
|
||||
```
|
||||
sig verify --threshold 2 --group myteam --method git
|
||||
```
|
||||
|
||||
### Add Detached Signature
|
||||
|
||||
```
|
||||
sig add
|
||||
```
|
||||
2
sig
2
sig
|
|
@ -110,6 +110,7 @@ get_files(){
|
|||
fi
|
||||
}
|
||||
|
||||
### Get signer name/email from key fingerprint
|
||||
get_signer(){
|
||||
local fingerprint="${1?}"
|
||||
gpg \
|
||||
|
|
@ -177,6 +178,7 @@ verify_git(){
|
|||
local sig_count=0
|
||||
local seen_fingerprints=""
|
||||
local depth=0
|
||||
#TODO: implement group validation
|
||||
|
||||
while [[ $depth != "$(git rev-list --count HEAD)" ]]; do
|
||||
ref=HEAD~${depth}
|
||||
|
|
|
|||
Loading…
Reference in New Issue