[PATCH 0/5] Documentation/technical: describe signature formats

[PATCH 0/5] Documentation/technical: describe signature formats

[Michael J Gruber]

As promised a while ago, here is a little series that describes the signature
formats that we use in Git. The series sets up the the basic structure first
and then describes each format in one patch.

The series grew out of my own efforts to get an overview and structure my
understanding before I can set about refactoring what we have. Things
that became apparent immediately:

- We don't support verifying push certificates, although they fit in with
  git verify-tag. Patch has been submitted, and this series documents the
  result already (git verify-tag --blob).

- We don' support verifying signed merge tags other than by using log/show,
  which is not quite fit for scripting.

- We have signature parsing code all over the place, including places that
  should probably abstract more, such as tag.c and log-tree.c.

- We may want to give more support for deciding about the trustworthiness
  of signatures, the same way we export information to receive hooks
  in the presence of push certificates. (Give information, don't decide.)

Michael J Gruber (5):
  Documentation/technical: describe signature formats
  Documentation/technical: signed tag format
  Documentation/technical: signed commit format
  Documentation/technical: signed merge tag format
  Documentation/technical: push certificate format

 Documentation/Makefile                       |   1 +
 Documentation/technical/signature-format.txt | 242 +++++++++++++++++++++++++++
 2 files changed, 243 insertions(+)
 create mode 100644 Documentation/technical/signature-format.txt

-- 
2.9.0.382.g87fd384

[PATCH 1/5] Documentation/technical: describe signature formats

[Michael J Gruber]

We use different types of signature formats in different places.
Set up the infrastructure and overview to describe them systematically
in our technical documentation.

Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net>
---
 Documentation/Makefile                       |  1 +
 Documentation/technical/signature-format.txt | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 Documentation/technical/signature-format.txt

diff --git a/Documentation/Makefile b/Documentation/Makefile
index 35c1385..b43d66e 100644
--- a/Documentation/Makefile
+++ b/Documentation/Makefile
@@ -76,6 +76,7 @@ TECH_DOCS += technical/protocol-common
 TECH_DOCS += technical/racy-git
 TECH_DOCS += technical/send-pack-pipeline
 TECH_DOCS += technical/shallow
+TECH_DOCS += technical/signature-format
 TECH_DOCS += technical/trivial-merge
 SP_ARTICLES += $(TECH_DOCS)
 SP_ARTICLES += technical/api-index
diff --git a/Documentation/technical/signature-format.txt b/Documentation/technical/signature-format.txt
new file mode 100644
index 0000000..fda4fb8
--- /dev/null
+++ b/Documentation/technical/signature-format.txt
@@ -0,0 +1,17 @@
+Git signature format
+====================
+
+== Overview
+
+Git uses cryptographic signatures in various places, currently objects (tags,
+commits, mergetags) and transactions (pushes). In every case, the command which
+is about to create an object or transaction determines a payload from that,
+calls gpg to obtain a detached signature for the payload (`gpg -bsa`) and
+embeds the signature into the object or transaction.
+
+Signatures always begin with `-----BEGIN PGP SIGNATURE-----`
+and end with `-----END PGP SIGNATURE-----`, unless gpg is told to
+produce RFC1991 signatures which use `MESSAGE` instead of `SIGNATURE`.
+
+The signed payload and the way the signature is embedded depends
+on the type of the object resp. transaction.
-- 
2.9.0.382.g87fd384

[PATCH 2/5] Documentation/technical: signed tag format

[Michael J Gruber]

Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net>
---
 Documentation/technical/signature-format.txt | 47 ++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/Documentation/technical/signature-format.txt b/Documentation/technical/signature-format.txt
index fda4fb8..833afff 100644
--- a/Documentation/technical/signature-format.txt
+++ b/Documentation/technical/signature-format.txt
@@ -15,3 +15,50 @@ produce RFC1991 signatures which use `MESSAGE` instead of `SIGNATURE`.
 
 The signed payload and the way the signature is embedded depends
 on the type of the object resp. transaction.
+
+== Tag signatures
+
+- created by: `git tag -s`
+- payload: annotated tag object
+- embedding: append the signature to the unsigned tag object
+- example: tag `signedtag` with subject `signed tag`
+
+----
+object 04b871796dc0420f8e7561a895b52484b701d51a
+type commit
+tag signedtag
+tagger C O Mitter <committer@example.com> 1465981006 +0000
+
+signed tag
+
+signed tag message body
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQEcBAABAgAGBQJXYRhOAAoJEGEJLoW3InGJklkIAIcnhL7RwEb/+QeX9enkXhxn
+rxfdqrvWd1K80sl2TOt8Bg/NYwrUBw/RWJ+sg/hhHp4WtvE1HDGHlkEz3y11Lkuh
+8tSxS3qKTxXUGozyPGuE90sJfExhZlW4knIQ1wt/yWqM+33E9pN4hzPqLwyrdods
+q8FWEqPPUbSJXoMbRPw04S5jrLtZSsUWbRYjmJCHzlhSfFWW4eFd37uquIaLUBS0
+rkC3Jrx7420jkIpgFcTI2s60uhSQLzgcCwdA2ukSYIRnjg/zDkj8+3h/GaROJ72x
+lZyI6HWixKJkWw8lE9aAOD9TmTW9sFJwcVAzmAuFX2kUreDUKMZduGcoRYGpD7E=
+=jpXa
+-----END PGP SIGNATURE-----
+----
+
+- verify with: `git verify-tag [-v]` or `git tag -v`
+
+----
+gpg: Signature made Wed Jun 15 10:56:46 2016 CEST using RSA key ID B7227189
+gpg: Good signature from "Eris Discordia <discord@example.net>"
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
+object 04b871796dc0420f8e7561a895b52484b701d51a
+type commit
+tag signedtag
+tagger C O Mitter <committer@example.com> 1465981006 +0000
+
+signed tag
+
+signed tag message body
+----
-- 
2.9.0.382.g87fd384

[PATCH 3/5] Documentation/technical: signed commit format

[Michael J Gruber]

Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net>
---
 Documentation/technical/signature-format.txt | 48 ++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/Documentation/technical/signature-format.txt b/Documentation/technical/signature-format.txt
index 833afff..8ae1dc3 100644
--- a/Documentation/technical/signature-format.txt
+++ b/Documentation/technical/signature-format.txt
@@ -62,3 +62,51 @@ signed tag
 
 signed tag message body
 ----
+
+== Commit signatures
+
+- created by: `git commit -S`
+- payload: commit object
+- embedding: header entry `gpgsig`
+  (content is preceded by a space)
+- example: commit with subject `signed commit`
+
+----
+tree eebfed94e75e7760540d1485c740902590a00332
+parent 04b871796dc0420f8e7561a895b52484b701d51a
+author A U Thor <author@example.com> 1465981137 +0000
+committer C O Mitter <committer@example.com> 1465981137 +0000
+gpgsig -----BEGIN PGP SIGNATURE-----
+ Version: GnuPG v1
+ 
+ iQEcBAABAgAGBQJXYRjRAAoJEGEJLoW3InGJ3IwIAIY4SA6GxY3BjL60YyvsJPh/
+ HRCJwH+w7wt3Yc/9/bW2F+gF72kdHOOs2jfv+OZhq0q4OAN6fvVSczISY/82LpS7
+ DVdMQj2/YcHDT4xrDNBnXnviDO9G7am/9OE77kEbXrp7QPxvhjkicHNwy2rEflAA
+ zn075rtEERDHr8nRYiDh8eVrefSO7D+bdQ7gv+7GsYMsd2auJWi1dHOSfTr9HIF4
+ HJhWXT9d2f8W+diRYXGh4X0wYiGg6na/soXc+vdtDYBzIxanRqjg8jCAeo1eOTk1
+ EdTwhcTZlI0x5pvJ3H0+4hA2jtldVtmPM4OTB0cTrEWBad7XV6YgiyuII73Ve3I=
+ =jKHM
+ -----END PGP SIGNATURE-----
+
+signed commit
+
+signed commit message body
+----
+
+- verify with: `git verify-commit [-v]` (or `git show --show-signature`)
+
+----
+gpg: Signature made Wed Jun 15 10:58:57 2016 CEST using RSA key ID B7227189
+gpg: Good signature from "Eris Discordia <discord@example.net>"
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
+tree eebfed94e75e7760540d1485c740902590a00332
+parent 04b871796dc0420f8e7561a895b52484b701d51a
+author A U Thor <author@example.com> 1465981137 +0000
+committer C O Mitter <committer@example.com> 1465981137 +0000
+
+signed commit
+
+signed commit message body
+----
-- 
2.9.0.382.g87fd384

[PATCH 4/5] Documentation/technical: signed merge tag format

[Michael J Gruber]

Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net>
---
 Documentation/technical/signature-format.txt | 74 ++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)

diff --git a/Documentation/technical/signature-format.txt b/Documentation/technical/signature-format.txt
index 8ae1dc3..7afd403 100644
--- a/Documentation/technical/signature-format.txt
+++ b/Documentation/technical/signature-format.txt
@@ -110,3 +110,77 @@ signed commit
 
 signed commit message body
 ----
+
+== Mergetag signatures
+
+- created by: `git merge` on signed tag
+- payload/embedding: the whole signed tag object is embedded into
+  the (merge) commit object as header entry `mergetag`
+- example: merge of the signed tag `signedtag` as above
+
+----
+tree c7b1cff039a93f3600a1d18b82d26688668c7dea
+parent c33429be94b5f2d3ee9b0adad223f877f174b05d
+parent 04b871796dc0420f8e7561a895b52484b701d51a
+author A U Thor <author@example.com> 1465982009 +0000
+committer C O Mitter <committer@example.com> 1465982009 +0000
+mergetag object 04b871796dc0420f8e7561a895b52484b701d51a
+ type commit
+ tag signedtag
+ tagger C O Mitter <committer@example.com> 1465981006 +0000
+ 
+ signed tag
+ 
+ signed tag message body
+ -----BEGIN PGP SIGNATURE-----
+ Version: GnuPG v1
+ 
+ iQEcBAABAgAGBQJXYRhOAAoJEGEJLoW3InGJklkIAIcnhL7RwEb/+QeX9enkXhxn
+ rxfdqrvWd1K80sl2TOt8Bg/NYwrUBw/RWJ+sg/hhHp4WtvE1HDGHlkEz3y11Lkuh
+ 8tSxS3qKTxXUGozyPGuE90sJfExhZlW4knIQ1wt/yWqM+33E9pN4hzPqLwyrdods
+ q8FWEqPPUbSJXoMbRPw04S5jrLtZSsUWbRYjmJCHzlhSfFWW4eFd37uquIaLUBS0
+ rkC3Jrx7420jkIpgFcTI2s60uhSQLzgcCwdA2ukSYIRnjg/zDkj8+3h/GaROJ72x
+ lZyI6HWixKJkWw8lE9aAOD9TmTW9sFJwcVAzmAuFX2kUreDUKMZduGcoRYGpD7E=
+ =jpXa
+ -----END PGP SIGNATURE-----
+
+Merge tag 'signedtag' into downstream
+
+signed tag
+
+signed tag message body
+
+# gpg: Signature made Wed Jun 15 08:56:46 2016 UTC using RSA key ID B7227189
+# gpg: Good signature from "Eris Discordia <discord@example.net>"
+# gpg: WARNING: This key is not certified with a trusted signature!
+# gpg:          There is no indication that the signature belongs to the owner.
+# Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
+----
+
+- verify with: verification is embedded in merge commit message by default,
+  alternatively with `git show --show-signature`:
+
+----
+commit 9863f0c76ff78712b6800e199a46aa56afbcbd49
+merged tag 'signedtag'
+gpg: Signature made Wed Jun 15 10:56:46 2016 CEST using RSA key ID B7227189
+gpg: Good signature from "Eris Discordia <discord@example.net>"
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
+Merge: c33429b 04b8717
+Author: A U Thor <author@example.com>
+Date:   Wed Jun 15 09:13:29 2016 +0000
+
+    Merge tag 'signedtag' into downstream
+    
+    signed tag
+    
+    signed tag message body
+    
+    # gpg: Signature made Wed Jun 15 08:56:46 2016 UTC using RSA key ID B7227189
+    # gpg: Good signature from "Eris Discordia <discord@example.net>"
+    # gpg: WARNING: This key is not certified with a trusted signature!
+    # gpg:          There is no indication that the signature belongs to the owner.
+    # Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
+----
-- 
2.9.0.382.g87fd384

[PATCH 5/5] Documentation/technical: push certificate format

[Michael J Gruber]

Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net>
---
 Documentation/technical/signature-format.txt | 56 ++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/Documentation/technical/signature-format.txt b/Documentation/technical/signature-format.txt
index 7afd403..c50602f 100644
--- a/Documentation/technical/signature-format.txt
+++ b/Documentation/technical/signature-format.txt
@@ -184,3 +184,59 @@ Date:   Wed Jun 15 09:13:29 2016 +0000
     # gpg:          There is no indication that the signature belongs to the owner.
     # Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
 ----
+
+== Push certificates
+
+- created by: `git push --signed`
+- payload: a push certificate header followed by the push transcript
+  (see pack-protocol.txt and below)
+- embedding: append the signature to the push transcript and pass it to receive hooks
+  via the environment (see below)
+- example: push of commit `dd1416f` updating `master` on `.` from `d36de3d`,
+  resulting in push certificate object `d4169b9`:
+
+----
+certificate version 0.1
+pusher C O Mitter <committer@example.com> 1465983405 +0000
+pushee .
+nonce 1465983405-07421dc1515c6f4d76d4
+
+d36de3db9b6a83076477254a3186b721a7bfaab7 dd1416f2cd1ec85957a9520a33e9053a133a775d refs/heads/master
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iEYEABECAAYFAldhIa0ACgkQE7b1Hs3eQw2pGwCgmJs98xETSDZb6rooh/X7af3V
+zWgAn08ctVNga27jRkIdhFNetJy3x8De
+=WH0m
+-----END PGP SIGNATURE-----
+----
+
+- verify with: `git verify-tag --blob [-v]`
+
+----
+gpg: Signature made Wed Jun 15 11:36:45 2016 CEST using DSA key ID CDDE430D
+gpg: Good signature from "C O Mitter <committer@example.com>"
+certificate version 0.1
+pusher C O Mitter <committer@example.com> 1465983405 +0000
+pushee .
+nonce 1465983405-07421dc1515c6f4d76d4
+
+d36de3db9b6a83076477254a3186b721a7bfaab7 dd1416f2cd1ec85957a9520a33e9053a133a775d refs/heads/master
+----
+
+- pre- and post-receive hook input:
+
+----
+d36de3db9b6a83076477254a3186b721a7bfaab7 dd1416f2cd1ec85957a9520a33e9053a133a775d refs/heads/master
+----
+
+- pre- and post-receive hook environment:
+
+----
+GIT_PUSH_CERT_NONCE_STATUS=OK
+GIT_PUSH_CERT_KEY=13B6F51ECDDE430D
+GIT_PUSH_CERT=d4169b9a3c2674458f9656796132c145bbc5ba74
+GIT_PUSH_CERT_STATUS=G
+GIT_PUSH_CERT_SIGNER=C O Mitter <committer@example.com>
+GIT_PUSH_CERT_NONCE=1465983405-07421dc1515c6f4d76d4
+----
-- 
2.9.0.382.g87fd384

[PATCHv2] Documentation/technical: push certificate format

[Michael J Gruber]

Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net>
---
This is the version describing the current state, not assuming any new
verify command for blobs.

 Documentation/technical/signature-format.txt | 51 ++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/Documentation/technical/signature-format.txt b/Documentation/technical/signature-format.txt
index 7afd403..1c21379 100644
--- a/Documentation/technical/signature-format.txt
+++ b/Documentation/technical/signature-format.txt
@@ -184,3 +184,54 @@ Date:   Wed Jun 15 09:13:29 2016 +0000
     # gpg:          There is no indication that the signature belongs to the owner.
     # Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
 ----
+
+== Push certificates
+
+- created by: `git push --signed`
+- payload: a push certificate header followed by the push transcript
+  (see pack-protocol.txt and below)
+- embedding: append the signature to the push transcript and pass it to receive hooks
+  via the environment (see below)
+- example: push of commit `dd1416f` updating `master` on `.` from `d36de3d`,
+  resulting in push certificate object `d4169b9`:
+
+----
+certificate version 0.1
+pusher C O Mitter <committer@example.com> 1465983405 +0000
+pushee .
+nonce 1465983405-07421dc1515c6f4d76d4
+
+d36de3db9b6a83076477254a3186b721a7bfaab7 dd1416f2cd1ec85957a9520a33e9053a133a775d refs/heads/master
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iEYEABECAAYFAldhIa0ACgkQE7b1Hs3eQw2pGwCgmJs98xETSDZb6rooh/X7af3V
+zWgAn08ctVNga27jRkIdhFNetJy3x8De
+=WH0m
+-----END PGP SIGNATURE-----
+----
+
+- verify with: `gpg --verify <(git cat-file -p pushcert | sed -n '/-----BEGIN PGP/,$p') <(git cat-file -p pushcert | sed  '/-----BEGIN PGP/Q')`
+  (assuming the push certificate is stored in the blob tagged `pushcert`)
+
+----
+gpg: Signature made Wed Jun 15 11:36:45 2016 CEST using DSA key ID CDDE430D
+gpg: Good signature from "C O Mitter <committer@example.com>"
+----
+
+- pre- and post-receive hook input:
+
+----
+d36de3db9b6a83076477254a3186b721a7bfaab7 dd1416f2cd1ec85957a9520a33e9053a133a775d refs/heads/master
+----
+
+- pre- and post-receive hook environment:
+
+----
+GIT_PUSH_CERT_NONCE_STATUS=OK
+GIT_PUSH_CERT_KEY=13B6F51ECDDE430D
+GIT_PUSH_CERT=d4169b9a3c2674458f9656796132c145bbc5ba74
+GIT_PUSH_CERT_STATUS=G
+GIT_PUSH_CERT_SIGNER=C O Mitter <committer@example.com>
+GIT_PUSH_CERT_NONCE=1465983405-07421dc1515c6f4d76d4
+----
-- 
2.9.0.382.g87fd384

Re: [PATCH 0/5] Documentation/technical: describe signature formats

[Junio C Hamano]

Michael J Gruber <git@drmicha.warpmail.net> writes:

> - We don't support verifying push certificates, although they fit in with
>   git verify-tag. Patch has been submitted, and this series documents the
>   result already (git verify-tag --blob).
>
> - We don' support verifying signed merge tags other than by using log/show,
>   which is not quite fit for scripting.

Both true and are good things to tackle, I would think.

It would be ideal if we can unify the latter with verification of
signed commits.

> - We have signature parsing code all over the place, including places that
>   should probably abstract more, such as tag.c and log-tree.c.

Looking forward to see the result of that new abstraction.

> - We may want to give more support for deciding about the trustworthiness
>   of signatures, the same way we export information to receive hooks
>   in the presence of push certificates. (Give information, don't decide.)

Again, true.

Thanks for starting this.

> Michael J Gruber (5):
>   Documentation/technical: describe signature formats
>   Documentation/technical: signed tag format
>   Documentation/technical: signed commit format
>   Documentation/technical: signed merge tag format
>   Documentation/technical: push certificate format
>
>  Documentation/Makefile                       |   1 +
>  Documentation/technical/signature-format.txt | 242 +++++++++++++++++++++++++++
>  2 files changed, 243 insertions(+)
>  create mode 100644 Documentation/technical/signature-format.txt

Re: [PATCHv2] Documentation/technical: push certificate format

[Junio C Hamano]

Michael J Gruber <git@drmicha.warpmail.net> writes:

> Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net>
> ---
> This is the version describing the current state, not assuming any new
> verify command for blobs.
>
>  Documentation/technical/signature-format.txt | 51 ++++++++++++++++++++++++++++
>  1 file changed, 51 insertions(+)
>
> diff --git a/Documentation/technical/signature-format.txt b/Documentation/technical/signature-format.txt
> index 7afd403..1c21379 100644
> --- a/Documentation/technical/signature-format.txt
> +++ b/Documentation/technical/signature-format.txt
> @@ -184,3 +184,54 @@ Date:   Wed Jun 15 09:13:29 2016 +0000
>      # gpg:          There is no indication that the signature belongs to the owner.
>      # Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
>  ----
> +
> +== Push certificates
> +
> +- created by: `git push --signed`
> +- payload: a push certificate header followed by the push transcript
> +  (see pack-protocol.txt and below)
> +- embedding: append the signature to the push transcript and pass it to receive hooks
> +  via the environment (see below)
> +- example: push of commit `dd1416f` updating `master` on `.` from `d36de3d`,
> +  resulting in push certificate object `d4169b9`:
> +
> +----
> +certificate version 0.1
> +pusher C O Mitter <committer@example.com> 1465983405 +0000
> +pushee .
> +nonce 1465983405-07421dc1515c6f4d76d4
> +
> +d36de3db9b6a83076477254a3186b721a7bfaab7 dd1416f2cd1ec85957a9520a33e9053a133a775d refs/heads/master
> +-----BEGIN PGP SIGNATURE-----
> +Version: GnuPG v1
> +
> +iEYEABECAAYFAldhIa0ACgkQE7b1Hs3eQw2pGwCgmJs98xETSDZb6rooh/X7af3V
> +zWgAn08ctVNga27jRkIdhFNetJy3x8De
> +=WH0m
> +-----END PGP SIGNATURE-----
> +----
> +
> +- verify with: `gpg --verify <(git cat-file -p pushcert | sed -n '/-----BEGIN PGP/,$p') <(git cat-file -p pushcert | sed  '/-----BEGIN PGP/Q')`
> +  (assuming the push certificate is stored in the blob tagged `pushcert`)

And assuming your sed is GNU, assuming your shell is bash.

Let's have a version of this without "verify with", finish that
"generalized way to verify the 'payload followed by detached
signature'" patch, and add a description to use that command here
when it is done.

> +
> +----
> +gpg: Signature made Wed Jun 15 11:36:45 2016 CEST using DSA key ID CDDE430D
> +gpg: Good signature from "C O Mitter <committer@example.com>"
> +----
> +
> +- pre- and post-receive hook input:
> +
> +----
> +d36de3db9b6a83076477254a3186b721a7bfaab7 dd1416f2cd1ec85957a9520a33e9053a133a775d refs/heads/master
> +----
> +
> +- pre- and post-receive hook environment:
> +
> +----
> +GIT_PUSH_CERT_NONCE_STATUS=OK
> +GIT_PUSH_CERT_KEY=13B6F51ECDDE430D
> +GIT_PUSH_CERT=d4169b9a3c2674458f9656796132c145bbc5ba74
> +GIT_PUSH_CERT_STATUS=G
> +GIT_PUSH_CERT_SIGNER=C O Mitter <committer@example.com>
> +GIT_PUSH_CERT_NONCE=1465983405-07421dc1515c6f4d76d4
> +----