From mboxrd@z Thu Jan 1 00:00:00 1970 From: i at monkz.de (MonkZ) Date: Sun, 23 Jul 2017 13:14:09 +0200 Subject: GPG-signing of commits was: Re: your mail In-Reply-To: <20170722120443.GJ1600@john.keeping.me.uk> References: <20170722120443.GJ1600@john.keeping.me.uk> Message-ID: Phew, that part isn't easy to solve. cgit has no input forms that write persistent data (regarding server security, i'm glad it does not have that). So we don't have a keyring of user-uploaded GPG-Pubkeys to fetch key information from, like github does. So we have two options: 1. read the fingerprint and provide a link to a (configurable) search page like https://pgp.key-server.io/ or https://pgp.mit.edu/, to enable users to look at the key (if it is uploaded there). This wouldn't allow cgit to perform validity checks and i'm not in favor of this option. 2. a admin-operated GPG keyring specifically for cgit, where the admin decides which key would be in this keyring and/or if he trusts this key. Based on this, cgit can display key information and validitiy (please be aware that keys may sign commits even if they are forged), and if the admin trusts this key... maybe a green checkmark and a text "this signature is trusted by (this site|the admin of this site|site owner|)" And a red X if the signature is valid but the trustlevel is "I do NOT trust". Maybe we should even avoid giving people a false sense of security, by showing every GPG signature or link to searchpages, leading them to think everything is cryptographically secure. A configurable trustlevel threshold with a reasonable default ("show only signatures if the trustlevel is set" or "show only fully trusted keys") MfG MonkZ On 22.07.2017 14:04, John Keeping wrote: > On Tue, May 09, 2017 at 03:35:57AM -0400, Ghost Squad 57 wrote: >> Lately I've gotten into the habit of signing commits and tags with my GPG >> key (https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work) >> >> But it appears cgit doesn't support showing commits that have been signed. >> >> Is there a way to enable this? > > No, we don't have any support for this at the moment. What would you > expect to see for a signed commit? Do you want the server to validate > the signature? In which case, how should the trusted signers be > configured? > _______________________________________________ > CGit mailing list > CGit at lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/cgit > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: