From eafc8c95d33639ffca5d8ceddc2bb08ef1f255b2 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Wed, 29 Mar 2023 15:33:28 -0700 Subject: [PATCH] rename to git-sig and default to git integration --- README.md | 66 +++++++++++++++++++--------------- sig => git-sig | 28 ++++++++------- test/test.bats | 82 +++++++++++++++++++++---------------------- test/test_helper.bash | 2 +- 4 files changed, 94 insertions(+), 84 deletions(-) rename sig => git-sig (96%) diff --git a/README.md b/README.md index b9888ec..5df4579 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -# sig # +# git-sig # -The simple code signature toolchain for git repos. +The simple multisig toolchain for git repos. ## Features @@ -10,7 +10,7 @@ The simple code signature toolchain for git repos. * Verify code changes made since last time minimum valid signatures were present * Allow user to manually verify new keys and add to alias groups on the fly * Prompt user to install or upgrade any required tools as needed - * Signs aginst git agnostic "tree hash" so signatures survive rebases + * Signs notes against git "tree hash" so signatures survive a rebase * So long as the directory contents at a given ref do not change ## Install @@ -18,12 +18,13 @@ The simple code signature toolchain for git repos. 1. Clone ``` - git clone git@gitlab.com/pchq/sig.git sig + git clone https://codeberg.org/distrust/git-sig.git ``` 2. Review source code and signatures manually - Using `sig` to verify the signatures of `sig` itself is not recommended. + Using `git-sig` to verify the signatures of `git-sig` itself is not + recommended as it could simply lie to you. Consider using the following one liner which is much faster to review: ``` @@ -37,68 +38,75 @@ The simple code signature toolchain for git repos. 3. Copy to `$PATH` ``` - cp sig ~/.local/bin/ + cp git-sig ~/.local/bin/ ``` ## Usage -* sig verify [-g,--group=] [-t,--threshold=] [-r,--ref= ] [-d,--diff=] - * Verify m-of-n signatures by given group are present for a given git ref. -* sig add - * Add signature to this git ref -* sig fetch [-g,--group=] - * Fetch key by fingerprint. Optionally add to group. -* sig help - * Show help text. -* sig version - * Show version information. +``` +git sig add [-m,--method=] [-p,--push] + Add signature for this repository +git sig remove + Remove all signatures on current ref +git sig verify [-g,--group=] [-t,--threshold=] [d,--diff=] + Verify m-of-n signatures by given group are present for directory. +git sig push [-r,--remote=] + Push all signatures on current ref +git sig fetch [-g,--group=] + Fetch key by fingerprint. Optionally add to group. +git sig help + Show this text. +git sig version + Show version information. +``` ## Methods -### Git - -This method verifies the current HEAD was signed exactly as-is by one or more -keys. - -This counts the commit signature, and any number of signed tags pointing at -this ref. +* Note + * Store/Verify signatures via Git Notes (default) + * Can be exported and verified by external tools even without git history +* Tag + * Any git signed tags count towards total signatures + * Can optionally store new signatures as "sig-*" signed tag +* Commit + * Signed commits count as one valid signature ### Assumptions - Single sig mode: Repo contents controlled by signer - Multi-sig mode: Repo contents verified by multiple signers - Multi-sig group mode: Repo contents approved by specified individuals - - Hashing scheme for respective backend is not broken: (sha256) + - Hashing scheme is not broken: (SHA1, blame Torvalds) ## Examples #### Verify at least one signature is present with a known key ``` -sig verify +git sig verify ``` #### Verify 2 unique signatures from known keys ``` -sig verify --threshold 2 +git sig verify --threshold 2 ``` #### Verify 3 unique signatures from specified signing group ``` -sig verify --threshold 3 --group myteam +git sig verify --threshold 3 --group myteam ``` #### Show diff between HEAD and last ref with 2 verified unique signatures ``` -sig verify --threshold 2 --diff +git sig verify --threshold 2 --diff ``` #### Add signature ``` -sig add +git sig add ``` ## Frequently Asked Questions diff --git a/sig b/git-sig similarity index 96% rename from sig rename to git-sig index 4e55117..46d4c01 100755 --- a/sig +++ b/git-sig @@ -563,13 +563,13 @@ cmd_push() { cmd_version() { cat <<-_EOF - ============================================== - = sig: simple multisig trust toolchain = - = = - = v0.2 = - = = - = https://github.com/distrust-foundation/sig = - ============================================== + ========================================== + = git-sig: multisig trust for git = + = = + = v0.3 = + = = + = https://codeberg.org/distrust/git-sig = + ========================================== _EOF } @@ -577,17 +577,19 @@ cmd_usage() { cmd_version cat <<-_EOF Usage: - $PROGRAM add [-m,--method=] [-p,--push] + git sig add [-m,--method=] [-p,--push] Add signature for this repository - $PROGRAM remove + git sig remove Remove all signatures on current ref - $PROGRAM verify [-g,--group=] [-t,--threshold=] [d,--diff=] + git sig verify [-g,--group=] [-t,--threshold=] [d,--diff=] Verify m-of-n signatures by given group are present for directory. - $PROGRAM fetch [-g,--group=] + git sig push [-r,--remote=] + Push all signatures on current ref + git sig fetch [-g,--group=] Fetch key by fingerprint. Optionally add to group. - $PROGRAM help + git sig help Show this text. - $PROGRAM version + git sig version Show version information. _EOF } diff --git a/test/test.bats b/test/test.bats index 9de1018..a8aff49 100644 --- a/test/test.bats +++ b/test/test.bats @@ -1,38 +1,38 @@ load test_helper @test "Outputs help if run without arguments" { - run sig + run git-sig [ "$status" -eq 0 ] - echo "${output}" | grep "simple multisig trust toolchain" + echo "${output}" | grep "multisig trust for git" } @test "Outputs help if run with help" { - run sig help + run git-sig help [ "$status" -eq 0 ] - echo "${output}" | grep "simple multisig trust toolchain" + echo "${output}" | grep "multisig trust for git" } @test "Outputs version if run with version" { - run sig version + run git-sig version [ "$status" -eq 0 ] - echo "${output}" | grep "v0.2" + echo "${output}" | grep "v0.3" } @test "Outputs advice to install missing openssl" { sudo rm /usr/bin/openssl - run sig version + run git-sig version echo "${output}" | grep "apt install openssl" } @test "Outputs advice to install missing gpg" { sudo rm /usr/bin/gpg - run sig version + run git-sig version echo "${output}" | grep "apt install gnupg" } @test "Outputs advice to install missing getopt" { sudo rm /usr/bin/getopt - run sig version + run git-sig version echo "${output}" | grep "apt install getopt" } @@ -43,26 +43,26 @@ load test_helper git add . git commit -m "initial commit" echo "dirty" > somefile - run sig verify + run git-sig verify [ "$status" -eq 1 ] } @test "Exit 1 if git method requested but not a repo" { - run sig verify + run git-sig verify [ "$status" -eq 1 ] } -@test "Verify succeeds when 1 unique git sig requirement is satisfied" { +@test "Verify succeeds when 1 unique git git-sig requirement is satisfied" { set_identity "user1" echo "test string" > somefile git init git add . git commit -m "initial commit" - run sig verify + run git-sig verify [ "$status" -eq 0 ] } -@test "Verify succeeds when 3 unique git sig requirement is satisfied" { +@test "Verify succeeds when 3 unique git git-sig requirement is satisfied" { git init set_identity "user1" echo "test string 1" > somefile1 @@ -70,60 +70,60 @@ load test_helper git commit -m "user1 commit" set_identity "user2" git log - sig add + git-sig add set_identity "user3" - sig add - run sig verify --threshold 3 + git-sig add + run git-sig verify --threshold 3 [ "$status" -eq 0 ] } -@test "Verify fails when 2 unique git sig requirement is not satisfied" { +@test "Verify fails when 2 unique git git-sig requirement is not satisfied" { git init set_identity "user1" echo "test string 1" > somefile1 git add . git commit -m "user1 commit" - sig add - run sig verify --threshold 2 + git-sig add + run git-sig verify --threshold 2 [ "$status" -eq 1 ] } -@test "Verify succeeds when 1 group git sig requirement is satisifed" { +@test "Verify succeeds when 1 group git git-sig requirement is satisifed" { set_identity "user1" echo "test string" > somefile git init git add . git commit -m "initial commit" - sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0 - run sig verify --group maintainers + git-sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0 + run git-sig verify --group maintainers [ "$status" -eq 0 ] } -@test "Verify succeeds when 3 group git sig requirement is satisifed" { +@test "Verify succeeds when 3 group git git-sig requirement is satisifed" { set_identity "user1" echo "test string" > somefile1 git init git add . git commit -m "User 1 Commit" set_identity "user2" - sig add + git-sig add set_identity "user3" - sig add - sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0 - sig fetch --group maintainers BE4D60F6CFD2237A8AF978583C51CADD33BD0EE8 - sig fetch --group maintainers 3E45AC9E190B4EE32BAE9F61A331AFB540761D69 - run sig verify --threshold 3 --group maintainers + git-sig add + git-sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0 + git-sig fetch --group maintainers BE4D60F6CFD2237A8AF978583C51CADD33BD0EE8 + git-sig fetch --group maintainers 3E45AC9E190B4EE32BAE9F61A331AFB540761D69 + run git-sig verify --threshold 3 --group maintainers [ "$status" -eq 0 ] } -@test "Verify fails when 2 group git sig requirement is not satisifed" { +@test "Verify fails when 2 group git git-sig requirement is not satisifed" { set_identity "user1" echo "test string" > somefile git init git add . git commit -m "initial commit" - sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0 - run sig verify --threshold 2 --group maintainers + git-sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0 + run git-sig verify --threshold 2 --group maintainers [ "$status" -eq 1 ] } @@ -136,14 +136,14 @@ load test_helper git commit -m "User 1 Commit" set_identity "user2" - sig add + git-sig add set_identity "user1" echo "updated test string" > somefile1 git add . git commit -m "User 1 Update Commit" - run sig verify --threshold 2 --ref HEAD~1 + run git-sig verify --threshold 2 --ref HEAD~1 [ "$status" -eq 0 ] } @@ -156,7 +156,7 @@ load test_helper git commit -m "User 1 Commit" set_identity "user2" - sig add + git-sig add set_identity "user1" git checkout -b feature_branch @@ -164,7 +164,7 @@ load test_helper git add . git commit -m "User 1 Update Commit" - run sig verify --diff --ref master --threshold 2 + run git-sig verify --diff --ref master --threshold 2 [ "$status" -eq 0 ] echo "${output}" | grep "updated test string" } @@ -178,10 +178,10 @@ load test_helper git commit -m "User 1 Commit 1" set_identity "user2" - sig add + git-sig add set_identity "user3" - sig add + git-sig add set_identity "user1" echo "test string 2" > testfile @@ -189,7 +189,7 @@ load test_helper git commit -m "User 1 Commit 2" set_identity "user2" - sig add + git-sig add set_identity "user1" git checkout -b feature_branch @@ -197,7 +197,7 @@ load test_helper git add . git commit -m "User 1 Commit 3" - run sig verify --diff --threshold 3 + run git-sig verify --diff --threshold 3 [ "$status" -eq 0 ] echo "${output}" | grep "updated test string" } diff --git a/test/test_helper.bash b/test/test_helper.bash index 0e88225..90667bf 100644 --- a/test/test_helper.bash +++ b/test/test_helper.bash @@ -8,7 +8,7 @@ setup(){ bin_dir=/tmp/bin temp_dir=$(mktemp -d -t test-XXXXXXXXXX) mkdir -p /tmp/bin - ln -sfn /home/test/sig/sig /tmp/bin/sig + ln -sfn /home/test/sig/git-sig /tmp/bin/git-sig export PATH=${bin_dir}:${PATH} cd "$temp_dir" || return 1 rm -rf ~/.gnupg