Git

2541 readers

10 users here now

Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.

Resources

Rules

Follow programming.dev rules
Be excellent to each other, no hostility towards users for any reason
No spam of tools/companies/advertisements. It’s OK to post your own stuff part of the time, but the primary use of the community should not be self-promotion.

Git Logo by Jason Long is licensed under the Creative Commons Attribution 3.0 Unported License.

founded 1 year ago

MODERATORS

[email protected]

Decoupling GPG from Git (programming.dev)

submitted 1 year ago by [email protected] to c/[email protected]

5 comments fedilink hide all child comments

Over the last year I've been trying to understand why GPG isn't popular. Based on the features I think it's a pretty valid thing. This article changed my mind.

Turns out GPG is too old ¯_(ツ)_/¯

I like signing my commits, it feels good to know that my identity is actually attached to my code. So I put in some work to reconfigure git to use a different signing tool, I didn't think it would be such a big deal, turns out git fully intergrates GPG. I'm confused. Why does git need to be hardcoded to use GPG specifically?

What rule says we can't have git configs like:

[sigining]
  defaultMethod=minisign

[signing.minisign]
  always=true
  signCommand=minisign -S -s {secret-key-file} -x {sig-file-name} -m {target-file}
  verifyCommand=minisign -V -P {public-key-file} -m {target-file}

Where the verifyCommand exits 0 if the signature is good and 1 if not.

I'm open to hearing cons. These are some I can think of:

User's have to configure git with each signing and verifying program
Upstream security conserns from signing programs
Signing programs changing their interfaces

top 5 comments

sorted by: hot top controversial new old

[–] [email protected] 2 points 1 year ago (1 children)

Just wanted to say that you actually can sign git commits using SSH keys! :) It's nowhere close to being as flexible as what you suggest, but it's also not GPG, so there's that.

[–] [email protected] 1 points 1 year ago (1 children)

This is litterally just my feelings and not based of fact: but that feel icky to me to sign with ssh. IDK why but I'm just like that

[–] [email protected] 1 points 1 year ago

I am no cryptographer, but I understand that in the SSH protocol, the keys are only used for signing anyway: that is, the user is authenticated by saying "I want to authenticate with some key, and here's some data signed by this key", and this is completely separate to encryption. It also seems that GitHub encourages using separate keys for commit signing and general SSH access, which might alleviate some of the ickyness.

You are really not wrong though, I feel like people only started using SSH for this because it kinda worked and they already have been familiar with it.

[–] [email protected] 2 points 1 year ago (1 children)

There was a proposal to add universal signing to Git in 2021, but I think it went nowhere for various reasons (like breaking SHA-1 <-> SHA-256 signing interoperability, if I understand the discussion correctly).

[RFC PATCH v1 0/1] Universal cryptographic signing

[–] [email protected] 1 points 1 year ago

That's kind of a bummer