rename to git-sig and default to git integration

README.md

@@ -1,6 +1,6 @@
-# sig #
+# git-sig #
 
-The simple code signature toolchain for git repos.
+The simple multisig toolchain for git repos.
 
 ## Features
 
@@ -10,7 +10,7 @@ The simple code signature toolchain for git repos.
   * Verify code changes made since last time minimum valid signatures were present
   * Allow user to manually verify new keys and add to alias groups on the fly
   * Prompt user to install or upgrade any required tools as needed
-  * Signs aginst git agnostic "tree hash" so signatures survive rebases
+  * Signs notes against git "tree hash" so signatures survive a rebase
     * So long as the directory contents at a given ref do not change
 
 ## Install
@@ -18,12 +18,13 @@ The simple code signature toolchain for git repos.
   1. Clone
 
       ```
-      git clone git@gitlab.com/pchq/sig.git sig
+      git clone https://codeberg.org/distrust/git-sig.git
       ```
 
   2. Review source code and signatures manually
 
-      Using `sig` to verify the signatures of `sig` itself is not recommended.
+      Using `git-sig` to verify the signatures of `git-sig` itself is not
+      recommended as it could simply lie to you.
 
       Consider using the following one liner which is much faster to review:
       ```
@@ -37,68 +38,75 @@ The simple code signature toolchain for git repos.
   3. Copy to `$PATH`
 
       ```
-      cp sig ~/.local/bin/
+      cp git-sig ~/.local/bin/
       ```
 
 ## Usage
 
-* sig verify [-g,--group=<group>] [-t,--threshold=<N>] [-r,--ref=<ref> ] [-d,--diff=<branch>]
-  * Verify m-of-n signatures by given group are present for a given git ref.
-* sig add
-  * Add signature to this git ref
-* sig fetch [-g,--group=<group>]
-  * Fetch key by fingerprint. Optionally add to group.
-* sig help
-  * Show help text.
-* sig version
-  * Show version information.
+```
+git sig add [-m,--method=<note|tag>] [-p,--push]
+    Add signature for this repository
+git sig remove
+    Remove all signatures on current ref
+git sig verify [-g,--group=<group>] [-t,--threshold=<N>] [d,--diff=<branch>]
+    Verify m-of-n signatures by given group are present for directory.
+git sig push [-r,--remote=<remote>]
+    Push all signatures on current ref
+git sig fetch [-g,--group=<group>]
+    Fetch key by fingerprint. Optionally add to group.
+git sig help
+    Show this text.
+git sig version
+	Show version information.
+```
 
 ## Methods
 
-### Git
-
-This method verifies the current HEAD was signed exactly as-is by one or more
-keys.
-
-This counts the commit signature, and any number of signed tags pointing at
-this ref.
+* Note
+    * Store/Verify signatures via Git Notes (default)
+    * Can be exported and verified by external tools even without git history
+* Tag
+    * Any git signed tags count towards total signatures
+    * Can optionally store new signatures as "sig-*" signed tag
+* Commit
+    * Signed commits count as one valid signature
 
 ### Assumptions
   - Single sig mode: Repo contents controlled by signer
   - Multi-sig mode: Repo contents verified by multiple signers
   - Multi-sig group mode: Repo contents approved by specified individuals
-  - Hashing scheme for respective backend is not broken: (sha256)
+  - Hashing scheme is not broken: (SHA1, blame Torvalds)
 
 ## Examples
 
 #### Verify at least one signature is present with a known key
 
 ```
-sig verify
+git sig verify
 ```
 
 #### Verify 2 unique signatures from known keys
 
 ```
-sig verify --threshold 2
+git sig verify --threshold 2
 ```
 
 #### Verify 3 unique signatures from specified signing group
 
 ```
-sig verify --threshold 3 --group myteam
+git sig verify --threshold 3 --group myteam
 ```
 
 #### Show diff between HEAD and last ref with 2 verified unique signatures
 
 ```
-sig verify --threshold 2 --diff
+git sig verify --threshold 2 --diff
 ```
 
 #### Add signature
 
 ```
-sig add
+git sig add
 ```
 
 ## Frequently Asked Questions

git-sig

@@ -563,13 +563,13 @@ cmd_push() {
 
 cmd_version() {
 	cat <<-_EOF
-	==============================================
-	=  sig: simple multisig trust toolchain      =
-	=                                            =
-	=                  v0.2                      =
-	=                                            =
-	= https://github.com/distrust-foundation/sig =
-	==============================================
+	==========================================
+	=    git-sig: multisig trust for git     =
+	=                                        =
+	=                  v0.3                  =
+	=                                        =
+	= https://codeberg.org/distrust/git-sig  =
+	==========================================
 	_EOF
 }
 
@@ -577,17 +577,19 @@ cmd_usage() {
 	cmd_version
 	cat <<-_EOF
 	Usage:
-	    $PROGRAM add [-m,--method=<note|tag>] [-p,--push]
+	    git sig add [-m,--method=<note|tag>] [-p,--push]
 	        Add signature for this repository
-	    $PROGRAM remove
+	    git sig remove
 	        Remove all signatures on current ref
-	    $PROGRAM verify [-g,--group=<group>] [-t,--threshold=<N>] [d,--diff=<branch>]
+	    git sig verify [-g,--group=<group>] [-t,--threshold=<N>] [d,--diff=<branch>]
 	        Verify m-of-n signatures by given group are present for directory.
-	    $PROGRAM fetch [-g,--group=<group>]
+	    git sig push [-r,--remote=<remote>]
+	        Push all signatures on current ref
+	    git sig fetch [-g,--group=<group>]
 	        Fetch key by fingerprint. Optionally add to group.
-	    $PROGRAM help
+	    git sig help
 	        Show this text.
-	    $PROGRAM version
+	    git sig version
 	        Show version information.
 	_EOF
 }

test/test.bats

@@ -1,38 +1,38 @@
 load test_helper
 
 @test "Outputs help if run without arguments" {
-	run sig
+	run git-sig
 	[ "$status" -eq 0 ]
-	echo "${output}" | grep "simple multisig trust toolchain"
+	echo "${output}" | grep "multisig trust for git"
 }
 
 @test "Outputs help if run with help" {
-	run sig help
+	run git-sig help
 	[ "$status" -eq 0 ]
-	echo "${output}" | grep "simple multisig trust toolchain"
+	echo "${output}" | grep "multisig trust for git"
 }
 
 @test "Outputs version if run with version" {
-	run sig version
+	run git-sig version
 	[ "$status" -eq 0 ]
-	echo "${output}" | grep "v0.2"
+	echo "${output}" | grep "v0.3"
 }
 
 @test "Outputs advice to install missing openssl" {
 	sudo rm /usr/bin/openssl
-	run sig version
+	run git-sig version
 	echo "${output}" | grep "apt install openssl"
 }
 
 @test "Outputs advice to install missing gpg" {
 	sudo rm /usr/bin/gpg
-	run sig version
+	run git-sig version
 	echo "${output}" | grep "apt install gnupg"
 }
 
 @test "Outputs advice to install missing getopt" {
 	sudo rm /usr/bin/getopt
-	run sig version
+	run git-sig version
 	echo "${output}" | grep "apt install getopt"
 }
 
@@ -43,26 +43,26 @@ load test_helper
 	git add .
 	git commit -m "initial commit"
 	echo "dirty" > somefile
-	run sig verify
+	run git-sig verify
 	[ "$status" -eq 1 ]
 }
 
 @test "Exit 1 if git method requested but not a repo" {
-	run sig verify
+	run git-sig verify
 	[ "$status" -eq 1 ]
 }
 
-@test "Verify succeeds when 1 unique git sig requirement is satisfied" {
+@test "Verify succeeds when 1 unique git git-sig requirement is satisfied" {
 	set_identity "user1"
 	echo "test string" > somefile
 	git init
 	git add .
 	git commit -m "initial commit"
-	run sig verify
+	run git-sig verify
 	[ "$status" -eq 0 ]
 }
 
-@test "Verify succeeds when 3 unique git sig requirement is satisfied" {
+@test "Verify succeeds when 3 unique git git-sig requirement is satisfied" {
 	git init
 	set_identity "user1"
 	echo "test string 1" > somefile1
@@ -70,60 +70,60 @@ load test_helper
 	git commit -m "user1 commit"
 	set_identity "user2"
 	git log
-	sig add
+	git-sig add
 	set_identity "user3"
-	sig add
-	run sig verify --threshold 3
+	git-sig add
+	run git-sig verify --threshold 3
 	[ "$status" -eq 0 ]
 }
 
-@test "Verify fails when 2 unique git sig requirement is not satisfied" {
+@test "Verify fails when 2 unique git git-sig requirement is not satisfied" {
 	git init
 	set_identity "user1"
 	echo "test string 1" > somefile1
 	git add .
 	git commit -m "user1 commit"
-	sig add
-	run sig verify --threshold 2
+	git-sig add
+	run git-sig verify --threshold 2
 	[ "$status" -eq 1 ]
 }
 
-@test "Verify succeeds when 1 group git sig requirement is satisifed" {
+@test "Verify succeeds when 1 group git git-sig requirement is satisifed" {
 	set_identity "user1"
 	echo "test string" > somefile
 	git init
 	git add .
 	git commit -m "initial commit"
-	sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0
-	run sig verify --group maintainers
+	git-sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0
+	run git-sig verify --group maintainers
 	[ "$status" -eq 0 ]
 }
 
-@test "Verify succeeds when 3 group git sig requirement is satisifed" {
+@test "Verify succeeds when 3 group git git-sig requirement is satisifed" {
 	set_identity "user1"
 	echo "test string" > somefile1
 	git init
 	git add .
 	git commit -m "User 1 Commit"
 	set_identity "user2"
-	sig add
+	git-sig add
 	set_identity "user3"
-	sig add
-	sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0
-	sig fetch --group maintainers BE4D60F6CFD2237A8AF978583C51CADD33BD0EE8
-	sig fetch --group maintainers 3E45AC9E190B4EE32BAE9F61A331AFB540761D69
-	run sig verify --threshold 3 --group maintainers
+	git-sig add
+	git-sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0
+	git-sig fetch --group maintainers BE4D60F6CFD2237A8AF978583C51CADD33BD0EE8
+	git-sig fetch --group maintainers 3E45AC9E190B4EE32BAE9F61A331AFB540761D69
+	run git-sig verify --threshold 3 --group maintainers
 	[ "$status" -eq 0 ]
 }
 
-@test "Verify fails when 2 group git sig requirement is not satisifed" {
+@test "Verify fails when 2 group git git-sig requirement is not satisifed" {
 	set_identity "user1"
 	echo "test string" > somefile
 	git init
 	git add .
 	git commit -m "initial commit"
-	sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0
-	run sig verify --threshold 2 --group maintainers
+	git-sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0
+	run git-sig verify --threshold 2 --group maintainers
 	[ "$status" -eq 1 ]
 }
 
@@ -136,14 +136,14 @@ load test_helper
 	git commit -m "User 1 Commit"
 
 	set_identity "user2"
-	sig add
+	git-sig add
 
 	set_identity "user1"
 	echo "updated test string" > somefile1
 	git add .
 	git commit -m "User 1 Update Commit"
 
-	run sig verify --threshold 2 --ref HEAD~1
+	run git-sig verify --threshold 2 --ref HEAD~1
 	[ "$status" -eq 0 ]
 }
 
@@ -156,7 +156,7 @@ load test_helper
 	git commit -m "User 1 Commit"
 
 	set_identity "user2"
-	sig add
+	git-sig add
 
 	set_identity "user1"
 	git checkout -b feature_branch
@@ -164,7 +164,7 @@ load test_helper
 	git add .
 	git commit -m "User 1 Update Commit"
 
-	run sig verify --diff --ref master --threshold 2
+	run git-sig verify --diff --ref master --threshold 2
 	[ "$status" -eq 0 ]
 	echo "${output}" | grep "updated test string"
 }
@@ -178,10 +178,10 @@ load test_helper
 	git commit -m "User 1 Commit 1"
 
 	set_identity "user2"
-	sig add
+	git-sig add
 
 	set_identity "user3"
-	sig add
+	git-sig add
 
 	set_identity "user1"
 	echo "test string 2" > testfile
@@ -189,7 +189,7 @@ load test_helper
 	git commit -m "User 1 Commit 2"
 
 	set_identity "user2"
-	sig add
+	git-sig add
 
 	set_identity "user1"
 	git checkout -b feature_branch
@@ -197,7 +197,7 @@ load test_helper
 	git add .
 	git commit -m "User 1 Commit 3"
 
-	run sig verify --diff --threshold 3
+	run git-sig verify --diff --threshold 3
 	[ "$status" -eq 0 ]
 	echo "${output}" | grep "updated test string"
 }

test/test_helper.bash

@@ -8,7 +8,7 @@ setup(){
 	bin_dir=/tmp/bin
 	temp_dir=$(mktemp -d -t test-XXXXXXXXXX)
 	mkdir -p /tmp/bin
-	ln -sfn /home/test/sig/sig /tmp/bin/sig
+	ln -sfn /home/test/sig/git-sig /tmp/bin/git-sig
 	export PATH=${bin_dir}:${PATH}
 	cd "$temp_dir" || return 1
 	rm -rf ~/.gnupg