[PATCH 0/3] Test series signed by patatt-0.1.0

[PATCH 0/3] Test series signed by patatt-0.1.0

[Konstantin Ryabitsev]

This is a PGP signing test with patatt-0.1.0.

Konstantin Ryabitsev (3):
  Nicer crash for when PyNaCl isn't available
  Throw a KeyError, not RuntimeError
  Add manpages and prepare for 0.1.0 release

 MANIFEST.in        |   2 +
 man/patatt.5       | 112 +++++++++++++++++++++++++++++++++++++++++++++
 man/patatt.5.rst   |  61 ++++++++++++++++++++++++
 patatt/__init__.py |  18 +++++---
 setup.py           |   3 +-
 5 files changed, 189 insertions(+), 7 deletions(-)
 create mode 100644 man/patatt.5
 create mode 100644 man/patatt.5.rst

-- 
2.31.1

[PATCH 1/3] Nicer crash for when PyNaCl isn't available

[Konstantin Ryabitsev]

Don't backtrace all over the screen -- give a nice error message.

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
---
 patatt/__init__.py | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/patatt/__init__.py b/patatt/__init__.py
index a3870b8..e54bb10 100644
--- a/patatt/__init__.py
+++ b/patatt/__init__.py
@@ -222,8 +222,11 @@ class DevsigHeader:
     @staticmethod
     def _sign_ed25519(payload: bytes, privkey: bytes) -> Tuple[bytes, bytes]:
         global KEYCACHE
-        from nacl.signing import SigningKey
-        from nacl.encoding import Base64Encoder
+        try:
+            from nacl.signing import SigningKey
+            from nacl.encoding import Base64Encoder
+        except ModuleNotFoundError:
+            raise RuntimeError('This operation requires PyNaCl libraries')
 
         if privkey not in KEYCACHE:
             sk = SigningKey(privkey, encoder=Base64Encoder)
@@ -238,9 +241,12 @@ class DevsigHeader:
 
     @staticmethod
     def _validate_ed25519(sigdata: bytes, pubkey: bytes) -> bytes:
-        from nacl.signing import VerifyKey
-        from nacl.encoding import Base64Encoder
-        from nacl.exceptions import BadSignatureError
+        try:
+            from nacl.signing import VerifyKey
+            from nacl.encoding import Base64Encoder
+            from nacl.exceptions import BadSignatureError
+        except ModuleNotFoundError:
+            raise RuntimeError('This operation requires PyNaCl libraries')
 
         vk = VerifyKey(pubkey, encoder=Base64Encoder)
         try:
-- 
2.31.1

[PATCH 2/3] Throw a KeyError, not RuntimeError

[Konstantin Ryabitsev]

Don't die when running outside of a git checkout, just ignore ref:
keyring locations.

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
---
 patatt/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/patatt/__init__.py b/patatt/__init__.py
index e54bb10..2f380e0 100644
--- a/patatt/__init__.py
+++ b/patatt/__init__.py
@@ -684,7 +684,7 @@ def get_public_key(source: str, keytype: str, identity: str, selector: str) -> T
     if source.find('ref:') == 0:
         gittop = get_git_toplevel()
         if not gittop:
-            raise RuntimeError('Not in a git tree, so cannot use a ref: source')
+            raise KeyError('Not in a git tree, so cannot use a ref: source')
         # format is: ref:refspec:path
         # or it could omit the refspec, meaning "whatever the current ref"
         # but it should always have at least two ":"
-- 
2.31.1

[PATCH 3/3] Add manpages and prepare for 0.1.0 release

[Konstantin Ryabitsev]

It's time to cut the first release, I think.

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
---
 MANIFEST.in      |   2 +
 man/patatt.5     | 112 +++++++++++++++++++++++++++++++++++++++++++++++
 man/patatt.5.rst |  61 ++++++++++++++++++++++++++
 setup.py         |   3 +-
 4 files changed, 177 insertions(+), 1 deletion(-)
 create mode 100644 man/patatt.5
 create mode 100644 man/patatt.5.rst

diff --git a/MANIFEST.in b/MANIFEST.in
index e72662c..b62d6b7 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -1,2 +1,4 @@
 include COPYING
+include DCO
 include README.rst
+include man/*.rst
diff --git a/man/patatt.5 b/man/patatt.5
new file mode 100644
index 0000000..5e97753
--- /dev/null
+++ b/man/patatt.5
@@ -0,0 +1,112 @@
+.\" Man page generated from reStructuredText.
+.
+.TH PATATT 5 "2021-05-07" "0.1.0" ""
+.SH NAME
+PATATT \- DKIM-like cryptographic patch attestation
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH SYNOPSIS
+.sp
+patatt {sign,validate,genkey} [options]
+.SH DESCRIPTION
+.sp
+This tools allows cryptographically signing patches sent via email
+by using DKIM\-like message headers. This approach is both effective and
+doesn\(aqt interfere with other code review tools the way inline or
+detached PGP signatures do. For a full overview of core concepts and
+considerations, please see README.
+.sp
+If you already have a PGP key configured for signing git tags or
+commits, then you should be able to use patatt without any additional
+configuration. Try running the following in any git repository:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+git format\-patch \-1 \-\-stdout | patatt sign
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+If patatt is not finding your PGP key, try adding the following to your
+~/.gitconfig:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+[user]
+    signingkey = [yourkeyid]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+To find out your keyid, run \fBgpg \-\-list\-secret\-keys\fP\&. If you want to
+use a specific subkey, you can specify the subkey ID with a \fB!\fP at the
+end.
+.SH USING AS A GIT HOOK
+.sp
+If you use \fBgit\-send\-email\fP for sending patches, then you can get
+them automatically signed via the \fBsendemail\-validate\fP hook:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+$ echo \(aqpatatt sign \-\-hook "${1}"\(aq >> .git/hooks/sendemail\-validate
+$ chmod a+x .git/hooks/sendemail\-validate
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH SUBCOMMANDS
+.INDENT 0.0
+.IP \(bu 2
+\fIpatatt sign\fP: sign stdin or RFC2822 files passed as arguments
+.IP \(bu 2
+\fIpatatt validate\fP: basic validation for signed messages
+.IP \(bu 2
+\fIpatatt genkey\fP: generate a new ed25519 keypair
+.UNINDENT
+.sp
+You can run \fBpatatt [subcommand] \-\-help\fP to see a summary of flags for
+each subcommand.
+.SH SUPPORT
+.sp
+Please email \fI\%tools@linux.kernel.org\fP with support requests.
+.SH AUTHOR
+mricon@kernel.org
+
+License: MIT-0
+.SH COPYRIGHT
+The Linux Foundation and contributors
+.\" Generated by docutils manpage writer.
+.
diff --git a/man/patatt.5.rst b/man/patatt.5.rst
new file mode 100644
index 0000000..f607ed9
--- /dev/null
+++ b/man/patatt.5.rst
@@ -0,0 +1,61 @@
+PATATT
+======
+-----------------------------------------
+DKIM-like cryptographic patch attestation
+-----------------------------------------
+
+:Author:    mricon@kernel.org
+:Date:      2021-05-07
+:Copyright: The Linux Foundation and contributors
+:License:   MIT-0
+:Version:   0.1.0
+:Manual section: 5
+
+SYNOPSIS
+--------
+patatt {sign,validate,genkey} [options]
+
+DESCRIPTION
+-----------
+This tools allows cryptographically signing patches sent via email
+by using DKIM-like message headers. This approach is both effective and
+doesn't interfere with other code review tools the way inline or
+detached PGP signatures do. For a full overview of core concepts and
+considerations, please see README.
+
+If you already have a PGP key configured for signing git tags or
+commits, then you should be able to use patatt without any additional
+configuration. Try running the following in any git repository::
+
+    git format-patch -1 --stdout | patatt sign
+
+If patatt is not finding your PGP key, try adding the following to your
+~/.gitconfig::
+
+    [user]
+        signingkey = [yourkeyid]
+
+To find out your keyid, run ``gpg --list-secret-keys``. If you want to
+use a specific subkey, you can specify the subkey ID with a ``!`` at the
+end.
+
+USING AS A GIT HOOK
+-------------------
+If you use ``git-send-email`` for sending patches, then you can get
+them automatically signed via the ``sendemail-validate`` hook::
+
+    $ echo 'patatt sign --hook "${1}"' >> .git/hooks/sendemail-validate
+    $ chmod a+x .git/hooks/sendemail-validate
+
+SUBCOMMANDS
+-----------
+* *patatt sign*: sign stdin or RFC2822 files passed as arguments
+* *patatt validate*: basic validation for signed messages
+* *patatt genkey*: generate a new ed25519 keypair
+
+You can run ``patatt [subcommand] --help`` to see a summary of flags for
+each subcommand.
+
+SUPPORT
+-------
+Please email tools@linux.kernel.org with support requests.
diff --git a/setup.py b/setup.py
index 3eb5a8f..7fa6809 100644
--- a/setup.py
+++ b/setup.py
@@ -33,8 +33,9 @@ setup(
     author_email='mricon@kernel.org',
     packages=['patatt'],
     license='MIT-0',
-    long_description=read('README'),
+    long_description=read('README.rst'),
     long_description_content_type='text/x-rst',
+    data_files = [('share/man/man5', ['man/patatt.5'])],
     keywords=['git', 'patches', 'attestation'],
     install_requires=[
         'pynacl',
-- 
2.31.1