GPG-signing of commits was: Re: your mail

MonkZ i at monkz.de
Sun Jul 23 13:14:09 CEST 2017


Phew, that part isn't easy to solve.
cgit has no input forms that write persistent data (regarding server
security, i'm glad it does not have that).
So we don't have a keyring of user-uploaded GPG-Pubkeys to fetch key
information from, like github does.

So we have two options:
1. read the fingerprint and provide a link to a (configurable) search
page like https://pgp.key-server.io/ or https://pgp.mit.edu/, to enable
users to look at the key (if it is uploaded there). This wouldn't allow
cgit to perform validity checks and i'm not in favor of this option.

2. a admin-operated GPG keyring specifically for cgit, where the admin
decides which key would be in this keyring and/or if he trusts this key.
Based on this, cgit can display key information and validitiy (please be
aware that keys may sign commits even if they are forged), and if the
admin trusts this key... maybe a green checkmark and a text "this
signature is trusted by (this site|the admin of this site|site
owner|<configurable>)"
And a red X if the signature is valid but the trustlevel is "I do NOT
trust".

Maybe we should even avoid giving people a false sense of security, by
showing every GPG signature or link to searchpages, leading them to
think everything is cryptographically secure.
A configurable trustlevel threshold with a reasonable default ("show
only signatures if the trustlevel is set" or "show only fully trusted keys")

MfG
MonkZ

On 22.07.2017 14:04, John Keeping wrote:
> On Tue, May 09, 2017 at 03:35:57AM -0400, Ghost Squad 57 wrote:
>> Lately I've gotten into the habit of signing commits and tags with my GPG
>> key (https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)
>>
>> But it appears cgit doesn't support showing commits that have been signed.
>>
>> Is there a way to enable this?
> 
> No, we don't have any support for this at the moment.  What would you
> expect to see for a signed commit?  Do you want the server to validate
> the signature?  In which case, how should the trusted signers be
> configured?
> _______________________________________________
> CGit mailing list
> CGit at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/cgit
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/cgit/attachments/20170723/73d53bb3/attachment.asc>


More information about the CGit mailing list