summaryrefslogtreecommitdiffstatshomepage
path: root/posts
diff options
context:
space:
mode:
authorWolfgang Müller2021-05-22 13:22:34 +0200
committerWolfgang Müller2021-05-22 13:22:34 +0200
commit0da8a6e3d85a98e38b1abc2499f7e7b3fe5d9534 (patch)
treeef5f061ddaecc6dee62a740ec7de297c5491fcf0 /posts
parent7d3a8b42587ba51c6f5c738d1c4c35cb7d405e20 (diff)
downloadsite-0da8a6e3d85a98e38b1abc2499f7e7b3fe5d9534.tar.gz
posts: Add guide to verify a commit from a tarball
When generating archives, git-archive(1) puts the commit ID in the global extended pax header. Therefore, an interesting side effect of signing tarballs generated with git-archive(1) is that we also implicitly sign a commit. Whilst we don't expect anyone to go through the hurdles needed to verify such a commit signature, make sure to document this case anyway.
Diffstat (limited to 'posts')
-rw-r--r--posts/verify-with-signify.md26
1 files changed, 26 insertions, 0 deletions
diff --git a/posts/verify-with-signify.md b/posts/verify-with-signify.md
index 5103ccc..0fd22c4 100644
--- a/posts/verify-with-signify.md
+++ b/posts/verify-with-signify.md
@@ -56,4 +56,30 @@ the `sha256sum` tool to only verify the integrity of the download:
$ tail -n1 <snapshot>.asc | sha256sum -c
<snapshot>: OK
+### Verification of the corresponding commit
+
+Every tarball hosted here contains its corresponding commit ID in the global
+extended pax header[^2]. Therefore, if a tarball is signed, it may be used to verify
+a commit and all of its ancestors.
+
+To do so, place the tarball in the cloned git repository first. If you already
+have the detached signature, you may verify the tarball normally like shown
+above. Otherwise, you can fetch the signatures directly from the repository:
+
+ $ git fetch origin refs/notes/signatures/tar.gz:refs/notes/signatures/tar.gz
+
+Now you can verify the tarball like so:
+
+ $ git notes --ref=signatures/tar.gz show <version> | signify -Cp release.pub -x -
+ Signature Verified
+ <snapshot>: OK
+
+Once verified, you can extract the commit using
+[`git-get-tar-commit-id(1)`](https://git-scm.com/docs/git-get-tar-commit-id) and
+show it:
+
+ $ gzip -d -c <snapshot> | git get-tar-commit-id | xargs git show
+
[^1]: If you are interested in how this is put together, check out [this](signify-cgit) post.
+[^2]: [`git-archive(1)`](https://git-scm.com/docs/git-archive#_description) puts
+ it there.