Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Trusted development path in git with signatures

Tags:

git

version-control

digital-signature

gnupg

I'd like to build a trusted path for software development. This means that every change in to code must be signed by the author and one reviewer, before being accepted. These signatures for the changes must be verifiable at release time, or there must be some other means of making sure the repository can not have been tampered, or additional changes added.

The version control system that I am expecting to use for this is git, but other options are also accepted. Signing can be via GnuPG or SSL certificates.

The workflow I am thinking would be roughly:

  1. Current verified trunk is branched
  2. Changes are developed in the branch by one or more developers
  3. One or more developers sign the changes made by the branch
  4. A reviewer reviews and tests the changes
  5. Reviewer signs the changes made by the branch
  6. Branch is "merged" in to current verified trunk

Merging does not have to be foolproof such as that unreviewed changes would need to be unmergeable to trunk - just that before a release, there needs to be a way to check if there are any unreviewed (unsigned) changes in trunk. And in general, tampering need not be prevented, only detected.

I'd like a short guide on how to set this up and how each operation is done. Once I get some pointers, I can figure out the specifics myself.

Also, I already know about 'git tag -s' technically, but I am unsure how to apply it to this particular problem.

like image 250
Nakedible Avatar asked Mar 11 '10 08:03

Nakedible

People also ask

How do you see if commit is signed?

If you're interested in signing commits directly instead of just the tags, all you need to do is add a -S to your git commit command. To see and verify these signatures, there is also a --show-signature option to git log .

What is signed commits in git?

Using GPG, SSH, or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub so other people can be confident that the changes come from a trusted source.

Why is signing commits important?

By signing your commits you can prove that you are the author. You can be sure the code has not been tampered with. And signed commits could act as a reliable source for an audit trail.

How many commands does GIT have?

There are three commands with similar names: git reset , git restore and git revert .

1 Answers

The changes will not be signed until you tag. Anything before that point can be verified by the author or by another out-of-band mechanism, but not from within git.

git can verify that a change's heritage is correct, but only the signed tag can verify the change itself is correct.

For your workflow, you may just find yourself tagging a lot.

like image 187
Dustin Avatar answered Oct 30 '22 23:10

Dustin
Sign in to Comment

Related questions

How can I get number of commits from Github API until certain branch
What are the consequences of renaming a fork on GitHub?
How can AWS CloudFormation pull code from Git?
How to exclude files & directories from git diff --no-index
Is it possible to make changes to code without changing the information reported by `git blame`?
Git push origin Permission to * denied fatal: Could not read from remote repository
git !alias that would work in both bash and Powershell
Can Git rename matching ignore whitespace changes?
How to control multiple framework versions of the same project in git
Git: How can I determine the filename where a given identifier was added or removed?
How do I change a submodule's name?
git word diff regex strange behaviour
homebrew install error Failed during: git fetch origin master:refs/remotes/origin/master --tags --force
"Rename from commit-graph.lock to commit-graph failed " when running git commands from a batch file
How to add better copy detection to gitk?
How to trigger Jenkins build without cloning the repository it is hooked to?
CLI grammar checker for determining tense
How do I import an existing CVS module into a subdirectory of an existing git repository
How to synchronize configuration between git setups?
Git: How to commit into SVN branch after rebase?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!