public
/
git-sig
5
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: public:master
Branches Tags
public:main
public:master
..
compare: public:main
Branches Tags
public:main
public:master

1 Commits
master ... main

Author SHA1 Message Date
Anton Livaja 911dff8fa7
fix: spelling errors 2024-04-07 11:31:28 -04:00
1 changed files with 4 additions and 4 deletions
Show Stats Expand all files Collapse all files

8
README.md
View File

@ -5,7 +5,7 @@ The simple multisig toolchain for git repos.
## Features ## Features
* Attach any number of signatures to any given git ref * Attach any number of signatures to any given git ref
* Verify git history contains a minimum threshold of unique commit siguatures * Verify git history contains a minimum threshold of unique commit signatures
* Verify signatures belong to a defined GPG alias group * Verify signatures belong to a defined GPG alias group
* Verify code changes made since last time minimum valid signatures were present * Verify code changes made since last time minimum valid signatures were present
* Allow user to manually verify new keys and add to alias groups on the fly * Allow user to manually verify new keys and add to alias groups on the fly
@ -129,7 +129,7 @@ In spite of many popular claims to the contrary, PGP is still the most well
supported protocol for distribution, verification, and signing for keys held supported protocol for distribution, verification, and signing for keys held
by individual humans. It is also the only protocol with wide HSM support by individual humans. It is also the only protocol with wide HSM support
allowing you to keep keys out of system memory and require physical approval allowing you to keep keys out of system memory and require physical approval
for each operation. E.G a trezor, ledger, yubikey, etc. for each operation. E.G a trezor, ledger, YubiKey, etc.
Admittedly the GnuPG codebase itself is a buggy dated mess, but PGP as a spec Admittedly the GnuPG codebase itself is a buggy dated mess, but PGP as a spec
is still Pretty Good for many use cases. A recent modern rewrite by a number is still Pretty Good for many use cases. A recent modern rewrite by a number
@ -156,7 +156,7 @@ See: [The Update Framework](https://theupdateframework.io)
Openssl has HSM support via OpenSC that is fairly well supported via PKSC#11. Openssl has HSM support via OpenSC that is fairly well supported via PKSC#11.
Contributions suggesting this an alterantive backend to OpenPGP are welcome, Contributions suggesting this an alternative backend to OpenPGP are welcome,
however they would have to also come with methods for key discovery and pinned however they would have to also come with methods for key discovery and pinned
key groups via configuration files of some kind. key groups via configuration files of some kind.
@ -168,6 +168,6 @@ These alternatives have poor if any support for HSM workflows and thus put
private keys at too much risk of theft or loss to recommend for general use at private keys at too much risk of theft or loss to recommend for general use at
this time. this time.
That said, verifying folders/repos that use these methods is certianly of value That said, verifying folders/repos that use these methods is certainly of value
and contributions to support doing this on systems where those tools are and contributions to support doing this on systems where those tools are
available are welcome. available are welcome.