[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gitsign: first binary packages available

For people who want to play along, I have tried the following sequence
of commands.  The 'gitsign' package built on Salsa seems to work on my
Trisquel aramo laptop using Abrowser and GitHub.  I expect it to work on
any Debian/Ubuntu setup with Firefox or Chrome too.

Welcome to the brand new world of keyless git signing in Debian!

There is just a small caveat: You are handing over control of your git
signature keys to not only the software built by Debian and your
hardware that execute it, but also the oauth2.sigstore.dev website, the
general webpki CA industry to protect you against https MITM's routing
attacks, all the external javascript code and terms of services from all
webpage used during your authentication (currently fonts.gstatic.com on
oauth2.sigstore.dev but they claim the Google Privacy Policy and Terms
of Service apply and that reCAPTCHA is used), and if you click on
github.com login prompt you get a bazillion other javascript files and
terms of services that you have to audit and trust.  In other words, no
real difference to the security environment of >>99% of humanity, so we
are all in good hands.  </irony>

jas@kaka:~$ sudo apt-get install git
jas@kaka:~$ echo "deb [trusted=yes] https://salsa.debian.org/jas/gitsign/-/jobs/6701680/artifacts/raw/aptly experimental main" | sudo -- tee --append /etc/apt/sources.list.d/add.list
jas@kaka:~$ sudo apt-get update
jas@kaka:~$ sudo apt-get install gitsign
jas@kaka:~$ mkdir foo
jas@kaka:~$ cd foo
jas@kaka:~/foo$ git init
Initialized empty Git repository in /home/jas/foo/.git/
jas@kaka:~/foo$ git config --local gpg.x509.program gitsign  # Use gitsign for signing
jas@kaka:~/foo$ git config --local gpg.format x509  # gitsign expects x509 args
jas@kaka:~/foo$ git commit --allow-empty --message="Signed commit" -S
Your browser will now be opened to:
https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=kHToRXQjwE9l87VyFqEXBXCwHltID2YSFiN-508B9KA&code_challenge_method=S256&nonce=2pnSZP2j5wy6OWM74KCG7r4mcVv&redirect_uri=http%3A%2F%2Flocalhost%3A42377%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=2pnSZM551lb8PvjtDw2qBz9Ikfr
tlog entry created with index: 153586000
[main (root-commit) 2f32add] Signed commit
jas@kaka:~/foo$ git tag v0.0.1 -s -m "my tag"
Your browser will now be opened to:
https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=0FZ5lQFMJMhvLkUTC1wT8-WyYbUX-rP2Xi4c5HgKuPg&code_challenge_method=S256&nonce=2pnSeCc4wJSlyNkZNPCxpA4TR7M&redirect_uri=http%3A%2F%2Flocalhost%3A44433%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=2pnSeJGvZxpr0KXDX2ZIzhyWDyF
tlog entry created with index: 153586034
jas@kaka:~/foo$ git verify-commit HEAD
tlog index: 153586000
gitsign: Signature made using certificate ID 0xe690b23d18e4250f20885bb5a946665966bf2d10 | CN=sigstore-intermediate,O=sigstore.dev
gitsign: Good signature from [simon@josefsson.org](https://github.com/login/oauth)
Validated Git signature: true
Validated Rekor entry: true
Validated Certificate claims: false
WARNING: git verify-commit does not verify cert claims. Prefer using `gitsign verify` instead.
jas@kaka:~/foo$ gitsign verify --certificate-identity=simon@josefsson.org --certificate-oidc-issuer=https://github.com/login/oauth HEAD
tlog index: 153586000
gitsign: Signature made using certificate ID 0xe690b23d18e4250f20885bb5a946665966bf2d10 | CN=sigstore-intermediate,O=sigstore.dev
gitsign: Good signature from [simon@josefsson.org](https://github.com/login/oauth)
Validated Git signature: true
Validated Rekor entry: true
Validated Certificate claims: true
jas@kaka:~/foo$ git verify-tag -v v0.0.1
object 2f32add913c9a3e6bd7a3e5fbdf837c614a65544
type commit
tag v0.0.1
tagger Simon Josefsson <simon@josefsson.org> 1733400439 +0100

my tag
tlog index: 153586034
gitsign: Signature made using certificate ID 0x59013164939fe466aa9d938491db5f36a03feec2 | CN=sigstore-intermediate,O=sigstore.dev
gitsign: Good signature from [simon@josefsson.org](https://github.com/login/oauth)
Validated Git signature: true
Validated Rekor entry: true
Validated Certificate claims: false
WARNING: git verify-commit does not verify cert claims. Prefer using `gitsign verify` instead.
jas@kaka:~/foo$ 

/Simon

Simon Josefsson <simon@josefsson.org> writes:

> The readme is fairly straight forward:
>
> https://github.com/sigstore/gitsign#configuration
>
> https://github.com/sigstore/gitsign#usage
>
> Here is a bit different take:
>
> https://www.chainguard.dev/unchained/keyless-git-commit-signing-with-gitsign-and-github-actions
>
> Or
>
> https://about.gitlab.com/blog/2023/09/13/keyless-signing-with-cosign/
>
> /Simon
>
>  5 dec. 2024 kl. 01:53 skrev Otto Kekäläinen <otto@debian.org>:
>
>  Thanks Simon for working on this!
>
>  Can you point to a man page or blog post or README to help people like
>  me learn what this is and how it is designed to be used?
>

Attachment: signature.asc
Description: PGP signature

Reply to: