summaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--posts/signify-cgit.md23
1 files changed, 14 insertions, 9 deletions
diff --git a/posts/signify-cgit.md b/posts/signify-cgit.md
index 28a41f7..2f433ec 100644
--- a/posts/signify-cgit.md
+++ b/posts/signify-cgit.md
@@ -92,9 +92,9 @@ create the same snapshot locally.
Thankfully, this is a trivial thing to do. We can use
[`git-archive(1)`](https://git-scm.com/docs/git-archive) to create a stable
-archive from any tag. This is, in fact, also what cgit does internally. By
+archive[^3] from any tag. This is, in fact, also what cgit does internally. By
default, `git-archive(1)` does not prefix the files in the archive with the
-project title and tag, so to make sure that we get a sane[^3] tarball, we have to
+project title and tag, so to make sure that we get a sane[^4] tarball, we have to
pass the right prefix -- just as cgit does:
```
@@ -112,12 +112,12 @@ The example in `cgitrc(5)` uses the dreaded `gpg(1)` interface to generate a
signature, but since notes are just textual objects, we can use any utility that
generates a signature in text form. I will be using OpenBSD's
[signify](https://www.openbsd.org/papers/bsdcan-signify.html), a tool I have
-been recommending for a long time given its simplicity and ease of use[^4].
+been recommending for a long time given its simplicity and ease of use[^5].
To make things more straightforward and give people who do not want to use
signify a way of verifying the integrity of the download, we do not sign the
snapshot itself, but its checksum. Conveniently, signify supports verifying the
-signature and checksum in one invocation[^5].
+signature and checksum in one invocation[^6].
Since signify expects BSD-style checksums from OpenBSD's
[`sha256(1)`](https://man.openbsd.org/sha256), we have to make sure to pass the
@@ -184,7 +184,7 @@ $ git fetch origin refs/notes/signatures/tar.gz:refs/notes/signatures/tar.gz
Git also supports showing notes in
[`git-log(1)`](https://git-scm.com/docs/git-log) directly, by use of the
`--notes` option. The following will display any signatures for the tar.gz
-format inline after the commit message[^6]:
+format inline after the commit message[^7]:
```
$ git log --notes=signatures/tar.gz
@@ -203,13 +203,18 @@ extensible to accommodate other tools.
[^2]: Whilst I'd prefer `.sig` for signify signatures specifically, this would
need patching in cgit. So for now I have to concede and accept that Firefox
calls it a 'detached OpenPGP signature' even though it isn't.
-[^3]: The worst sin a tarball can commit is having all files saved at toplevel,
+[^3]: An interesting side effect that I only
+ [recently](https://git.oriole.systems/site/commit/?id=0da8a6e3d85a98e38b1abc2499f7e7b3fe5d9534)
+ noticed is that by signing tarballs generated by `git-archive(1)` one also
+ implicitly signs a commit. Read more
+ [here](https://oriole.systems/posts/verify-with-signify#Verification%20of%20the%20corresponding%20commit).
+[^4]: The worst sin a tarball can commit is having all files saved at toplevel,
polluting the directory it is extracted into.
-[^4]: A portable version is available
+[^5]: A portable version is available
[here](https://github.com/aperezdc/signify).
-[^5]: This is so that you can verify a whole set of files with just one
+[^6]: This is so that you can verify a whole set of files with just one
signature.
-[^6]: Note that we do not have to type out the full ref here. `git-log(1)`
+[^7]: Note that we do not have to type out the full ref here. `git-log(1)`
will make sure to [form the full name](https://git-scm.com/docs/git-log#Documentation/git-log.txt---notesltrefgt).
`git-notes` also supports these short forms.