* No subject @ 2017-05-09 7:35 keithhendersonjr 2017-07-22 12:04 ` your mail john 0 siblings, 1 reply; 4+ messages in thread From: keithhendersonjr @ 2017-05-09 7:35 UTC (permalink / raw) Lately I've gotten into the habit of signing commits and tags with my GPG key (https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work) But it appears cgit doesn't support showing commits that have been signed. Is there a way to enable this? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.zx2c4.com/pipermail/cgit/attachments/20170509/42c7d5c8/attachment.html> ^ permalink raw reply [flat|nested] 4+ messages in thread
* your mail 2017-05-09 7:35 No subject keithhendersonjr @ 2017-07-22 12:04 ` john 2017-07-23 11:14 ` GPG-signing of commits was: " i [not found] ` <CAGveaD7+RRwk7L-b9m3MCxokvLy7Yn6Tsw44zpOx0fDPqyYHVQ@mail.gmail.com> 0 siblings, 2 replies; 4+ messages in thread From: john @ 2017-07-22 12:04 UTC (permalink / raw) On Tue, May 09, 2017 at 03:35:57AM -0400, Ghost Squad 57 wrote: > Lately I've gotten into the habit of signing commits and tags with my GPG > key (https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work) > > But it appears cgit doesn't support showing commits that have been signed. > > Is there a way to enable this? No, we don't have any support for this at the moment. What would you expect to see for a signed commit? Do you want the server to validate the signature? In which case, how should the trusted signers be configured? ^ permalink raw reply [flat|nested] 4+ messages in thread
* GPG-signing of commits was: Re: your mail 2017-07-22 12:04 ` your mail john @ 2017-07-23 11:14 ` i [not found] ` <CAGveaD7+RRwk7L-b9m3MCxokvLy7Yn6Tsw44zpOx0fDPqyYHVQ@mail.gmail.com> 1 sibling, 0 replies; 4+ messages in thread From: i @ 2017-07-23 11:14 UTC (permalink / raw) Phew, that part isn't easy to solve. cgit has no input forms that write persistent data (regarding server security, i'm glad it does not have that). So we don't have a keyring of user-uploaded GPG-Pubkeys to fetch key information from, like github does. So we have two options: 1. read the fingerprint and provide a link to a (configurable) search page like https://pgp.key-server.io/ or https://pgp.mit.edu/, to enable users to look at the key (if it is uploaded there). This wouldn't allow cgit to perform validity checks and i'm not in favor of this option. 2. a admin-operated GPG keyring specifically for cgit, where the admin decides which key would be in this keyring and/or if he trusts this key. Based on this, cgit can display key information and validitiy (please be aware that keys may sign commits even if they are forged), and if the admin trusts this key... maybe a green checkmark and a text "this signature is trusted by (this site|the admin of this site|site owner|<configurable>)" And a red X if the signature is valid but the trustlevel is "I do NOT trust". Maybe we should even avoid giving people a false sense of security, by showing every GPG signature or link to searchpages, leading them to think everything is cryptographically secure. A configurable trustlevel threshold with a reasonable default ("show only signatures if the trustlevel is set" or "show only fully trusted keys") MfG MonkZ On 22.07.2017 14:04, John Keeping wrote: > On Tue, May 09, 2017 at 03:35:57AM -0400, Ghost Squad 57 wrote: >> Lately I've gotten into the habit of signing commits and tags with my GPG >> key (https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work) >> >> But it appears cgit doesn't support showing commits that have been signed. >> >> Is there a way to enable this? > > No, we don't have any support for this at the moment. What would you > expect to see for a signed commit? Do you want the server to validate > the signature? In which case, how should the trusted signers be > configured? > _______________________________________________ > CGit mailing list > CGit at lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/cgit > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.zx2c4.com/pipermail/cgit/attachments/20170723/73d53bb3/attachment.asc> ^ permalink raw reply [flat|nested] 4+ messages in thread
[parent not found: <CAGveaD7+RRwk7L-b9m3MCxokvLy7Yn6Tsw44zpOx0fDPqyYHVQ@mail.gmail.com>]
* your mail [not found] ` <CAGveaD7+RRwk7L-b9m3MCxokvLy7Yn6Tsw44zpOx0fDPqyYHVQ@mail.gmail.com> @ 2017-07-23 12:00 ` john 0 siblings, 0 replies; 4+ messages in thread From: john @ 2017-07-23 12:00 UTC (permalink / raw) [Please keep the mailing list cc'd.] On Sat, Jul 22, 2017 at 12:32:40PM -0400, Ghost Squad 57 wrote: > Personally, I just want cgit to show the key used to sign the commit, not > necessarily validate it. Validation could always be done on the user's side. I would be very concerned about giving a false sense of security by doing this. It sounds like you want something like "good signature by untrusted key ...", but then doing validation on the user's side requires cloning the repository, doesn't it? Or do you mean that the user should trust the server and just say "yes, that's the key I expect to have signed this"? That's not behaviour that we should be encouraging. > On Jul 22, 2017 8:04 AM, "John Keeping" <john at keeping.me.uk> wrote: > > > On Tue, May 09, 2017 at 03:35:57AM -0400, Ghost Squad 57 wrote: > > > Lately I've gotten into the habit of signing commits and tags with my GPG > > > key (https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work) > > > > > > But it appears cgit doesn't support showing commits that have been > > signed. > > > > > > Is there a way to enable this? > > > > No, we don't have any support for this at the moment. What would you > > expect to see for a signed commit? Do you want the server to validate > > the signature? In which case, how should the trusted signers be > > configured? > > ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-07-23 12:00 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-05-09 7:35 No subject keithhendersonjr 2017-07-22 12:04 ` your mail john 2017-07-23 11:14 ` GPG-signing of commits was: " i [not found] ` <CAGveaD7+RRwk7L-b9m3MCxokvLy7Yn6Tsw44zpOx0fDPqyYHVQ@mail.gmail.com> 2017-07-23 12:00 ` john
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).