rename to git-sig and default to git integration
This commit is contained in:
parent
72a7267a22
commit
eafc8c95d3
66
README.md
66
README.md
|
@ -1,6 +1,6 @@
|
|||
# sig #
|
||||
# git-sig #
|
||||
|
||||
The simple code signature toolchain for git repos.
|
||||
The simple multisig toolchain for git repos.
|
||||
|
||||
## Features
|
||||
|
||||
|
@ -10,7 +10,7 @@ The simple code signature toolchain for git repos.
|
|||
* Verify code changes made since last time minimum valid signatures were present
|
||||
* Allow user to manually verify new keys and add to alias groups on the fly
|
||||
* Prompt user to install or upgrade any required tools as needed
|
||||
* Signs aginst git agnostic "tree hash" so signatures survive rebases
|
||||
* Signs notes against git "tree hash" so signatures survive a rebase
|
||||
* So long as the directory contents at a given ref do not change
|
||||
|
||||
## Install
|
||||
|
@ -18,12 +18,13 @@ The simple code signature toolchain for git repos.
|
|||
1. Clone
|
||||
|
||||
```
|
||||
git clone git@gitlab.com/pchq/sig.git sig
|
||||
git clone https://codeberg.org/distrust/git-sig.git
|
||||
```
|
||||
|
||||
2. Review source code and signatures manually
|
||||
|
||||
Using `sig` to verify the signatures of `sig` itself is not recommended.
|
||||
Using `git-sig` to verify the signatures of `git-sig` itself is not
|
||||
recommended as it could simply lie to you.
|
||||
|
||||
Consider using the following one liner which is much faster to review:
|
||||
```
|
||||
|
@ -37,68 +38,75 @@ The simple code signature toolchain for git repos.
|
|||
3. Copy to `$PATH`
|
||||
|
||||
```
|
||||
cp sig ~/.local/bin/
|
||||
cp git-sig ~/.local/bin/
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
* sig verify [-g,--group=<group>] [-t,--threshold=<N>] [-r,--ref=<ref> ] [-d,--diff=<branch>]
|
||||
* Verify m-of-n signatures by given group are present for a given git ref.
|
||||
* sig add
|
||||
* Add signature to this git ref
|
||||
* sig fetch [-g,--group=<group>]
|
||||
* Fetch key by fingerprint. Optionally add to group.
|
||||
* sig help
|
||||
* Show help text.
|
||||
* sig version
|
||||
* Show version information.
|
||||
```
|
||||
git sig add [-m,--method=<note|tag>] [-p,--push]
|
||||
Add signature for this repository
|
||||
git sig remove
|
||||
Remove all signatures on current ref
|
||||
git sig verify [-g,--group=<group>] [-t,--threshold=<N>] [d,--diff=<branch>]
|
||||
Verify m-of-n signatures by given group are present for directory.
|
||||
git sig push [-r,--remote=<remote>]
|
||||
Push all signatures on current ref
|
||||
git sig fetch [-g,--group=<group>]
|
||||
Fetch key by fingerprint. Optionally add to group.
|
||||
git sig help
|
||||
Show this text.
|
||||
git sig version
|
||||
Show version information.
|
||||
```
|
||||
|
||||
## Methods
|
||||
|
||||
### Git
|
||||
|
||||
This method verifies the current HEAD was signed exactly as-is by one or more
|
||||
keys.
|
||||
|
||||
This counts the commit signature, and any number of signed tags pointing at
|
||||
this ref.
|
||||
* Note
|
||||
* Store/Verify signatures via Git Notes (default)
|
||||
* Can be exported and verified by external tools even without git history
|
||||
* Tag
|
||||
* Any git signed tags count towards total signatures
|
||||
* Can optionally store new signatures as "sig-*" signed tag
|
||||
* Commit
|
||||
* Signed commits count as one valid signature
|
||||
|
||||
### Assumptions
|
||||
- Single sig mode: Repo contents controlled by signer
|
||||
- Multi-sig mode: Repo contents verified by multiple signers
|
||||
- Multi-sig group mode: Repo contents approved by specified individuals
|
||||
- Hashing scheme for respective backend is not broken: (sha256)
|
||||
- Hashing scheme is not broken: (SHA1, blame Torvalds)
|
||||
|
||||
## Examples
|
||||
|
||||
#### Verify at least one signature is present with a known key
|
||||
|
||||
```
|
||||
sig verify
|
||||
git sig verify
|
||||
```
|
||||
|
||||
#### Verify 2 unique signatures from known keys
|
||||
|
||||
```
|
||||
sig verify --threshold 2
|
||||
git sig verify --threshold 2
|
||||
```
|
||||
|
||||
#### Verify 3 unique signatures from specified signing group
|
||||
|
||||
```
|
||||
sig verify --threshold 3 --group myteam
|
||||
git sig verify --threshold 3 --group myteam
|
||||
```
|
||||
|
||||
#### Show diff between HEAD and last ref with 2 verified unique signatures
|
||||
|
||||
```
|
||||
sig verify --threshold 2 --diff
|
||||
git sig verify --threshold 2 --diff
|
||||
```
|
||||
|
||||
#### Add signature
|
||||
|
||||
```
|
||||
sig add
|
||||
git sig add
|
||||
```
|
||||
|
||||
## Frequently Asked Questions
|
||||
|
|
|
@ -563,13 +563,13 @@ cmd_push() {
|
|||
|
||||
cmd_version() {
|
||||
cat <<-_EOF
|
||||
==============================================
|
||||
= sig: simple multisig trust toolchain =
|
||||
==========================================
|
||||
= git-sig: multisig trust for git =
|
||||
= =
|
||||
= v0.2 =
|
||||
= v0.3 =
|
||||
= =
|
||||
= https://github.com/distrust-foundation/sig =
|
||||
==============================================
|
||||
= https://codeberg.org/distrust/git-sig =
|
||||
==========================================
|
||||
_EOF
|
||||
}
|
||||
|
||||
|
@ -577,17 +577,19 @@ cmd_usage() {
|
|||
cmd_version
|
||||
cat <<-_EOF
|
||||
Usage:
|
||||
$PROGRAM add [-m,--method=<note|tag>] [-p,--push]
|
||||
git sig add [-m,--method=<note|tag>] [-p,--push]
|
||||
Add signature for this repository
|
||||
$PROGRAM remove
|
||||
git sig remove
|
||||
Remove all signatures on current ref
|
||||
$PROGRAM verify [-g,--group=<group>] [-t,--threshold=<N>] [d,--diff=<branch>]
|
||||
git sig verify [-g,--group=<group>] [-t,--threshold=<N>] [d,--diff=<branch>]
|
||||
Verify m-of-n signatures by given group are present for directory.
|
||||
$PROGRAM fetch [-g,--group=<group>]
|
||||
git sig push [-r,--remote=<remote>]
|
||||
Push all signatures on current ref
|
||||
git sig fetch [-g,--group=<group>]
|
||||
Fetch key by fingerprint. Optionally add to group.
|
||||
$PROGRAM help
|
||||
git sig help
|
||||
Show this text.
|
||||
$PROGRAM version
|
||||
git sig version
|
||||
Show version information.
|
||||
_EOF
|
||||
}
|
|
@ -1,38 +1,38 @@
|
|||
load test_helper
|
||||
|
||||
@test "Outputs help if run without arguments" {
|
||||
run sig
|
||||
run git-sig
|
||||
[ "$status" -eq 0 ]
|
||||
echo "${output}" | grep "simple multisig trust toolchain"
|
||||
echo "${output}" | grep "multisig trust for git"
|
||||
}
|
||||
|
||||
@test "Outputs help if run with help" {
|
||||
run sig help
|
||||
run git-sig help
|
||||
[ "$status" -eq 0 ]
|
||||
echo "${output}" | grep "simple multisig trust toolchain"
|
||||
echo "${output}" | grep "multisig trust for git"
|
||||
}
|
||||
|
||||
@test "Outputs version if run with version" {
|
||||
run sig version
|
||||
run git-sig version
|
||||
[ "$status" -eq 0 ]
|
||||
echo "${output}" | grep "v0.2"
|
||||
echo "${output}" | grep "v0.3"
|
||||
}
|
||||
|
||||
@test "Outputs advice to install missing openssl" {
|
||||
sudo rm /usr/bin/openssl
|
||||
run sig version
|
||||
run git-sig version
|
||||
echo "${output}" | grep "apt install openssl"
|
||||
}
|
||||
|
||||
@test "Outputs advice to install missing gpg" {
|
||||
sudo rm /usr/bin/gpg
|
||||
run sig version
|
||||
run git-sig version
|
||||
echo "${output}" | grep "apt install gnupg"
|
||||
}
|
||||
|
||||
@test "Outputs advice to install missing getopt" {
|
||||
sudo rm /usr/bin/getopt
|
||||
run sig version
|
||||
run git-sig version
|
||||
echo "${output}" | grep "apt install getopt"
|
||||
}
|
||||
|
||||
|
@ -43,26 +43,26 @@ load test_helper
|
|||
git add .
|
||||
git commit -m "initial commit"
|
||||
echo "dirty" > somefile
|
||||
run sig verify
|
||||
run git-sig verify
|
||||
[ "$status" -eq 1 ]
|
||||
}
|
||||
|
||||
@test "Exit 1 if git method requested but not a repo" {
|
||||
run sig verify
|
||||
run git-sig verify
|
||||
[ "$status" -eq 1 ]
|
||||
}
|
||||
|
||||
@test "Verify succeeds when 1 unique git sig requirement is satisfied" {
|
||||
@test "Verify succeeds when 1 unique git git-sig requirement is satisfied" {
|
||||
set_identity "user1"
|
||||
echo "test string" > somefile
|
||||
git init
|
||||
git add .
|
||||
git commit -m "initial commit"
|
||||
run sig verify
|
||||
run git-sig verify
|
||||
[ "$status" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "Verify succeeds when 3 unique git sig requirement is satisfied" {
|
||||
@test "Verify succeeds when 3 unique git git-sig requirement is satisfied" {
|
||||
git init
|
||||
set_identity "user1"
|
||||
echo "test string 1" > somefile1
|
||||
|
@ -70,60 +70,60 @@ load test_helper
|
|||
git commit -m "user1 commit"
|
||||
set_identity "user2"
|
||||
git log
|
||||
sig add
|
||||
git-sig add
|
||||
set_identity "user3"
|
||||
sig add
|
||||
run sig verify --threshold 3
|
||||
git-sig add
|
||||
run git-sig verify --threshold 3
|
||||
[ "$status" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "Verify fails when 2 unique git sig requirement is not satisfied" {
|
||||
@test "Verify fails when 2 unique git git-sig requirement is not satisfied" {
|
||||
git init
|
||||
set_identity "user1"
|
||||
echo "test string 1" > somefile1
|
||||
git add .
|
||||
git commit -m "user1 commit"
|
||||
sig add
|
||||
run sig verify --threshold 2
|
||||
git-sig add
|
||||
run git-sig verify --threshold 2
|
||||
[ "$status" -eq 1 ]
|
||||
}
|
||||
|
||||
@test "Verify succeeds when 1 group git sig requirement is satisifed" {
|
||||
@test "Verify succeeds when 1 group git git-sig requirement is satisifed" {
|
||||
set_identity "user1"
|
||||
echo "test string" > somefile
|
||||
git init
|
||||
git add .
|
||||
git commit -m "initial commit"
|
||||
sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0
|
||||
run sig verify --group maintainers
|
||||
git-sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0
|
||||
run git-sig verify --group maintainers
|
||||
[ "$status" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "Verify succeeds when 3 group git sig requirement is satisifed" {
|
||||
@test "Verify succeeds when 3 group git git-sig requirement is satisifed" {
|
||||
set_identity "user1"
|
||||
echo "test string" > somefile1
|
||||
git init
|
||||
git add .
|
||||
git commit -m "User 1 Commit"
|
||||
set_identity "user2"
|
||||
sig add
|
||||
git-sig add
|
||||
set_identity "user3"
|
||||
sig add
|
||||
sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0
|
||||
sig fetch --group maintainers BE4D60F6CFD2237A8AF978583C51CADD33BD0EE8
|
||||
sig fetch --group maintainers 3E45AC9E190B4EE32BAE9F61A331AFB540761D69
|
||||
run sig verify --threshold 3 --group maintainers
|
||||
git-sig add
|
||||
git-sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0
|
||||
git-sig fetch --group maintainers BE4D60F6CFD2237A8AF978583C51CADD33BD0EE8
|
||||
git-sig fetch --group maintainers 3E45AC9E190B4EE32BAE9F61A331AFB540761D69
|
||||
run git-sig verify --threshold 3 --group maintainers
|
||||
[ "$status" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "Verify fails when 2 group git sig requirement is not satisifed" {
|
||||
@test "Verify fails when 2 group git git-sig requirement is not satisifed" {
|
||||
set_identity "user1"
|
||||
echo "test string" > somefile
|
||||
git init
|
||||
git add .
|
||||
git commit -m "initial commit"
|
||||
sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0
|
||||
run sig verify --threshold 2 --group maintainers
|
||||
git-sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0
|
||||
run git-sig verify --threshold 2 --group maintainers
|
||||
[ "$status" -eq 1 ]
|
||||
}
|
||||
|
||||
|
@ -136,14 +136,14 @@ load test_helper
|
|||
git commit -m "User 1 Commit"
|
||||
|
||||
set_identity "user2"
|
||||
sig add
|
||||
git-sig add
|
||||
|
||||
set_identity "user1"
|
||||
echo "updated test string" > somefile1
|
||||
git add .
|
||||
git commit -m "User 1 Update Commit"
|
||||
|
||||
run sig verify --threshold 2 --ref HEAD~1
|
||||
run git-sig verify --threshold 2 --ref HEAD~1
|
||||
[ "$status" -eq 0 ]
|
||||
}
|
||||
|
||||
|
@ -156,7 +156,7 @@ load test_helper
|
|||
git commit -m "User 1 Commit"
|
||||
|
||||
set_identity "user2"
|
||||
sig add
|
||||
git-sig add
|
||||
|
||||
set_identity "user1"
|
||||
git checkout -b feature_branch
|
||||
|
@ -164,7 +164,7 @@ load test_helper
|
|||
git add .
|
||||
git commit -m "User 1 Update Commit"
|
||||
|
||||
run sig verify --diff --ref master --threshold 2
|
||||
run git-sig verify --diff --ref master --threshold 2
|
||||
[ "$status" -eq 0 ]
|
||||
echo "${output}" | grep "updated test string"
|
||||
}
|
||||
|
@ -178,10 +178,10 @@ load test_helper
|
|||
git commit -m "User 1 Commit 1"
|
||||
|
||||
set_identity "user2"
|
||||
sig add
|
||||
git-sig add
|
||||
|
||||
set_identity "user3"
|
||||
sig add
|
||||
git-sig add
|
||||
|
||||
set_identity "user1"
|
||||
echo "test string 2" > testfile
|
||||
|
@ -189,7 +189,7 @@ load test_helper
|
|||
git commit -m "User 1 Commit 2"
|
||||
|
||||
set_identity "user2"
|
||||
sig add
|
||||
git-sig add
|
||||
|
||||
set_identity "user1"
|
||||
git checkout -b feature_branch
|
||||
|
@ -197,7 +197,7 @@ load test_helper
|
|||
git add .
|
||||
git commit -m "User 1 Commit 3"
|
||||
|
||||
run sig verify --diff --threshold 3
|
||||
run git-sig verify --diff --threshold 3
|
||||
[ "$status" -eq 0 ]
|
||||
echo "${output}" | grep "updated test string"
|
||||
}
|
||||
|
|
|
@ -8,7 +8,7 @@ setup(){
|
|||
bin_dir=/tmp/bin
|
||||
temp_dir=$(mktemp -d -t test-XXXXXXXXXX)
|
||||
mkdir -p /tmp/bin
|
||||
ln -sfn /home/test/sig/sig /tmp/bin/sig
|
||||
ln -sfn /home/test/sig/git-sig /tmp/bin/git-sig
|
||||
export PATH=${bin_dir}:${PATH}
|
||||
cd "$temp_dir" || return 1
|
||||
rm -rf ~/.gnupg
|
||||
|
|
Loading…
Reference in New Issue