archive mirror
 help / color / mirror / Atom feed
From: Dave Huseby <>
Subject: [RFC PATCH v1 0/1] Universal cryptographic signing
Date: Fri,  7 May 2021 23:18:22 -0700	[thread overview]
Message-ID: <> (raw)

This RFC patchset is the beginning of a project generously sponsored by
Google and the Linux Foundation to modify Git to have universal
cryptographic signing capabilities. Curently Git only supports gpg and
gpgsm and the primary goal is to create the ability to use any
signing/verification tool to sign Git commits, tags, mergetags, and
pushes with a specific emphasis on supporting OpenSSH.

The goals of this project are:

- maintain full backwards compatibility without intervention. if it
  works today, it will work after these patches land without any
  modification to configs or support scripts.
- remove all tool-specific code and replace it with a protocol driver
  for using a standard protocol to talk to external signing and
  verification tools.
- normalize all of the command line switches so that they are the same
  for all tools that support signing and they are no longer tool
  specific (e.g. --sign instead of --gpgsign).
- add a new sign.* configuration structure for specifying tool specific
  configuration options (e.g. sign.openpgp.program) and deprecate all of
  the signing related config options that are no longer needed (e.g.
- make Git completely agnostic to the details of any signing regime by
  storing signature data and options verbatim inside of signed objects
  that it later passes to the associated verification tool.
- add new tests needed to cover the new functionality while keeping all
  of the old tests passing to verify backwards compatibility.

The proposed protocol for talking to signing/verification tools is a
pkt-line based protocol inspired by the Assuan protocol used by GPG for
IPC between its component executables. The full write-up on the proposed
protocol is here:

Like I said, this patchset is just the start of the project and all I
have done here is gone through all of the existing documentation and
updated it to reflect the normalized command line and config options as
well as documented the new sign.* config options and the proposed
signature format.

I am especially looking for feedback on the proposed protocol, signature
format and config structure. I have plans to follow up this project with
another project to add support for config directories (e.g.
.gitconfig.d) so that package maintainers will have an easier time of
adding sign.* config values for arbitrary signing tools.

As of right now, I have only grok'ed the handling of signed objects and
I have ignored signed pushes. I will be updating this patchset with
changes to the documentation for supporting universal signed pushes.

There's some sticky details around the transition to SHA256 that I think
I have worked out well enough that it won't get in the way. That is
documented in the hash-function-transition.txt file.

I know there is a lot here, this project cuts deep and will require tons
of test driven development to avoid killing the patient during surgery.
I look forward to the many long conversations on details ;)


Dave Huseby (1):
  Modifies documentation for universal cryptographic signing

 Documentation/config.txt                      |   2 +
 Documentation/config/commit.txt               |  23 +-
 Documentation/config/gpg.txt                  |  36 +--
 Documentation/config/push.txt                 |  18 +-
 Documentation/config/sign.txt                 |  72 ++++++
 Documentation/config/tag.txt                  |  27 +-
 Documentation/config/user.txt                 |  12 +-
 Documentation/git-am.txt                      |  43 +++-
 Documentation/git-cherry-pick.txt             |  43 +++-
 Documentation/git-commit-tree.txt             |  44 +++-
 Documentation/git-commit.txt                  |  43 +++-
 Documentation/git-fast-import.txt             |   2 +-
 Documentation/git-for-each-ref.txt            |   2 +-
 Documentation/git-mktag.txt                   |  32 ++-
 Documentation/git-rebase.txt                  |  44 +++-
 Documentation/git-revert.txt                  |  44 +++-
 Documentation/git-tag.txt                     | 102 +++++---
 Documentation/git-verify-commit.txt           |   8 +-
 Documentation/git-verify-tag.txt              |   8 +-
 Documentation/merge-options.txt               |  40 ++-
 Documentation/pretty-formats.txt              |   2 +-
 Documentation/pretty-options.txt              |   2 +-
 .../technical/hash-function-transition.txt    |  31 ++-
 .../technical/signature-format-v2.txt         | 232 ++++++++++++++++++
 Documentation/user-manual.txt                 |  40 +--
 25 files changed, 747 insertions(+), 205 deletions(-)
 create mode 100644 Documentation/config/sign.txt
 create mode 100644 Documentation/technical/signature-format-v2.txt


             reply	other threads:[~2021-05-08  6:18 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-08  6:18 Dave Huseby [this message]
2021-05-08  6:18 ` [RFC PATCH v1 1/1] Modifies documentation for universal " Dave Huseby
2021-05-08  7:52   ` Bagas Sanjaya
2021-05-09  0:16   ` brian m. carlson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \
    --subject='Re: [RFC PATCH v1 0/1] Universal cryptographic signing' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).