You are not logged in.

#1 2013-07-10 22:41:54

WindPower
Member
Registered: 2012-09-06
Posts: 12

Verifying GPG signatures of commits in *-git packages

Hi, I'm wondering if there's a way to have makepkg check the GPG signature present on git commits.

I am not talking about checking tag signatures; this is for *-git packages, which build from the HEAD revision of the repository. If all commits in that repository are signed (using 'git commit -S'), then the signature can be checked before building the package.

I have already hacked together a PKGBUILD that does this, but it's not exactly pretty. I'm wondering if there's a better way to do this, as there does seem to be some built-in GPG signature checking on regular files (triggered whenever one of the source files ends in '.asc' apparently, which is why I had to rename the key file in that PKGBUILD). It seems to be confused when used against git sources, however.

Last edited by WindPower (2013-07-10 22:42:44)

Offline

#2 2013-07-10 22:45:34

HalosGhost
Forum Moderator
From: Twin Cities, MN
Registered: 2012-06-22
Posts: 2,089
Website

Re: Verifying GPG signatures of commits in *-git packages

At the moment, I don't believe there is a graceful built-in way of handling GPG signatures on commits; I imagine yours is about as close as it gets. Though, I've been hoping for a new field to pop up (think sha256sums but with GPG keys), and have that be built-in.

Conceptually speaking, however, this hypothetical gpgkeys=() array wouldn't list keys to be matched to the source file; instead, it would list keys with which it would be acceptable for the git repo to be signed. So, you could have multiple keys that only pertain to one source file. I would imagine it would work so that instead of putting 'SKIP' for the checksum array value of the given source repo, you would put something like 'GPG[0:2]', and then that source file would be checked for integrity using the first three keys listed in the gpgkeys array.

All the best,

-HG

Last edited by HalosGhost (2013-07-10 22:56:28)

Offline

#3 2013-07-11 01:58:09

falconindy
Developer
From: New York, USA
Registered: 2009-10-22
Posts: 4,111
Website

Re: Verifying GPG signatures of commits in *-git packages

Why do you even want this? The repo itself ensures integrity.

Offline

#4 2013-07-11 03:03:01

WindPower
Member
Registered: 2012-09-06
Posts: 12

Re: Verifying GPG signatures of commits in *-git packages

falconindy wrote:

Why do you even want this? The repo itself ensures integrity.

git does pretty well at integrity, in that every git commit has a hash which is unique to the commit and which is tamper-proof in the sense that it is not computationally possible to come up with a commit that has the same hash but with a different diff attached to it. As the commit hash also covers the hash of the preceeding commit in the tree, a single commit hash is enough to guarantee the integrity of the entire source tree. However, this provides just that: integrity. It provides no authentication whatsoever. The 'git://' protocol also provides no encryption or authentication (unlike for example 'git+https://'). Therefore, there is no way to know if a repository cloned over the 'git://' protocol really is the same as what it should be, without a secure (i.e. authenticated) way of knowing what the true hash of the latest commit is. That is where signed tags and commits come in; all that is needed is to sign the hash of the latest commit, and the PKGBUILD can check if the signature matches said hash. If so, then the entire history of the repository (up to the signed commit) can be considered to be as trustworthy as the GPG key itself is.

tl;dr: git is pretty smart, but it does not provide any authentication guarantee. Signature verification solves this problem.

HalosGhost wrote:

Conceptually speaking, however, this hypothetical gpgkeys=() array wouldn't list keys to be matched to the source file; instead, it would list keys with which it would be acceptable for the git repo to be signed. So, you could have multiple keys that only pertain to one source file. I would imagine it would work so that instead of putting 'SKIP' for the checksum array value of the given source repo, you would put something like 'GPG[0:2]', and then that source file would be checked for integrity using the first three keys listed in the gpgkeys array.

That would be pretty damn cool.

Last edited by WindPower (2013-07-11 03:13:53)

Offline

#5 2013-07-11 03:10:14

HalosGhost
Forum Moderator
From: Twin Cities, MN
Registered: 2012-06-22
Posts: 2,089
Website

Re: Verifying GPG signatures of commits in *-git packages

Also, I'm not sure how good bzr/hg/svn are with security, but this feature would provide redundancy for all VCS source solutions.

All the best,

-HG

Offline

Board footer

Powered by FluxBB