No subject

No subject

[keithhendersonjr]

Lately I've gotten into the habit of signing commits and tags with my GPG
key (https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)

But it appears cgit doesn't support showing commits that have been signed.

Is there a way to enable this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/cgit/attachments/20170509/42c7d5c8/attachment.html>

your mail

[john]

On Tue, May 09, 2017 at 03:35:57AM -0400, Ghost Squad 57 wrote:
> Lately I've gotten into the habit of signing commits and tags with my GPG
> key (https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)
> 
> But it appears cgit doesn't support showing commits that have been signed.
> 
> Is there a way to enable this?

No, we don't have any support for this at the moment.  What would you
expect to see for a signed commit?  Do you want the server to validate
the signature?  In which case, how should the trusted signers be
configured?

GPG-signing of commits was: Re: your mail

[i]

Phew, that part isn't easy to solve.
cgit has no input forms that write persistent data (regarding server
security, i'm glad it does not have that).
So we don't have a keyring of user-uploaded GPG-Pubkeys to fetch key
information from, like github does.

So we have two options:
1. read the fingerprint and provide a link to a (configurable) search
page like https://pgp.key-server.io/ or https://pgp.mit.edu/, to enable
users to look at the key (if it is uploaded there). This wouldn't allow
cgit to perform validity checks and i'm not in favor of this option.

2. a admin-operated GPG keyring specifically for cgit, where the admin
decides which key would be in this keyring and/or if he trusts this key.
Based on this, cgit can display key information and validitiy (please be
aware that keys may sign commits even if they are forged), and if the
admin trusts this key... maybe a green checkmark and a text "this
signature is trusted by (this site|the admin of this site|site
owner|<configurable>)"
And a red X if the signature is valid but the trustlevel is "I do NOT
trust".

Maybe we should even avoid giving people a false sense of security, by
showing every GPG signature or link to searchpages, leading them to
think everything is cryptographically secure.
A configurable trustlevel threshold with a reasonable default ("show
only signatures if the trustlevel is set" or "show only fully trusted keys")

MfG
MonkZ

On 22.07.2017 14:04, John Keeping wrote:
> On Tue, May 09, 2017 at 03:35:57AM -0400, Ghost Squad 57 wrote:
>> Lately I've gotten into the habit of signing commits and tags with my GPG
>> key (https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)
>>
>> But it appears cgit doesn't support showing commits that have been signed.
>>
>> Is there a way to enable this?
> 
> No, we don't have any support for this at the moment.  What would you
> expect to see for a signed commit?  Do you want the server to validate
> the signature?  In which case, how should the trusted signers be
> configured?
> _______________________________________________
> CGit mailing list
> CGit at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/cgit
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/cgit/attachments/20170723/73d53bb3/attachment.asc>

your mail

[john]

[Please keep the mailing list cc'd.]

On Sat, Jul 22, 2017 at 12:32:40PM -0400, Ghost Squad 57 wrote:
> Personally, I just want cgit to show the key used to sign the commit, not
> necessarily validate it. Validation could always be done on the user's side.

I would be very concerned about giving a false sense of security by
doing this.  It sounds like you want something like "good signature by
untrusted key ...", but then doing validation on the user's side
requires cloning the repository, doesn't it?

Or do you mean that the user should trust the server and just say "yes,
that's the key I expect to have signed this"?  That's not behaviour that
we should be encouraging.

> On Jul 22, 2017 8:04 AM, "John Keeping" <john at keeping.me.uk> wrote:
> 
> > On Tue, May 09, 2017 at 03:35:57AM -0400, Ghost Squad 57 wrote:
> > > Lately I've gotten into the habit of signing commits and tags with my GPG
> > > key (https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)
> > >
> > > But it appears cgit doesn't support showing commits that have been
> > signed.
> > >
> > > Is there a way to enable this?
> >
> > No, we don't have any support for this at the moment.  What would you
> > expect to see for a signed commit?  Do you want the server to validate
> > the signature?  In which case, how should the trusted signers be
> > configured?
> >