From 3ad348446c62e657e775fabc071559046821b6e7 Mon Sep 17 00:00:00 2001 From: Wolfgang Müller Date: Sat, 22 May 2021 13:38:20 +0200 Subject: posts: Mention commit verification in signify-cgit.md Sadly we'll have to move around the footnotes here, but the post is young enough for that to hopefully not be an issue. --- posts/signify-cgit.md | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/posts/signify-cgit.md b/posts/signify-cgit.md index 28a41f7..2f433ec 100644 --- a/posts/signify-cgit.md +++ b/posts/signify-cgit.md @@ -92,9 +92,9 @@ create the same snapshot locally. Thankfully, this is a trivial thing to do. We can use [`git-archive(1)`](https://git-scm.com/docs/git-archive) to create a stable -archive from any tag. This is, in fact, also what cgit does internally. By +archive[^3] from any tag. This is, in fact, also what cgit does internally. By default, `git-archive(1)` does not prefix the files in the archive with the -project title and tag, so to make sure that we get a sane[^3] tarball, we have to +project title and tag, so to make sure that we get a sane[^4] tarball, we have to pass the right prefix -- just as cgit does: ``` @@ -112,12 +112,12 @@ The example in `cgitrc(5)` uses the dreaded `gpg(1)` interface to generate a signature, but since notes are just textual objects, we can use any utility that generates a signature in text form. I will be using OpenBSD's [signify](https://www.openbsd.org/papers/bsdcan-signify.html), a tool I have -been recommending for a long time given its simplicity and ease of use[^4]. +been recommending for a long time given its simplicity and ease of use[^5]. To make things more straightforward and give people who do not want to use signify a way of verifying the integrity of the download, we do not sign the snapshot itself, but its checksum. Conveniently, signify supports verifying the -signature and checksum in one invocation[^5]. +signature and checksum in one invocation[^6]. Since signify expects BSD-style checksums from OpenBSD's [`sha256(1)`](https://man.openbsd.org/sha256), we have to make sure to pass the @@ -184,7 +184,7 @@ $ git fetch origin refs/notes/signatures/tar.gz:refs/notes/signatures/tar.gz Git also supports showing notes in [`git-log(1)`](https://git-scm.com/docs/git-log) directly, by use of the `--notes` option. The following will display any signatures for the tar.gz -format inline after the commit message[^6]: +format inline after the commit message[^7]: ``` $ git log --notes=signatures/tar.gz @@ -203,13 +203,18 @@ extensible to accommodate other tools. [^2]: Whilst I'd prefer `.sig` for signify signatures specifically, this would need patching in cgit. So for now I have to concede and accept that Firefox calls it a 'detached OpenPGP signature' even though it isn't. -[^3]: The worst sin a tarball can commit is having all files saved at toplevel, +[^3]: An interesting side effect that I only + [recently](https://git.oriole.systems/site/commit/?id=0da8a6e3d85a98e38b1abc2499f7e7b3fe5d9534) + noticed is that by signing tarballs generated by `git-archive(1)` one also + implicitly signs a commit. Read more + [here](https://oriole.systems/posts/verify-with-signify#Verification%20of%20the%20corresponding%20commit). +[^4]: The worst sin a tarball can commit is having all files saved at toplevel, polluting the directory it is extracted into. -[^4]: A portable version is available +[^5]: A portable version is available [here](https://github.com/aperezdc/signify). -[^5]: This is so that you can verify a whole set of files with just one +[^6]: This is so that you can verify a whole set of files with just one signature. -[^6]: Note that we do not have to type out the full ref here. `git-log(1)` +[^7]: Note that we do not have to type out the full ref here. `git-log(1)` will make sure to [form the full name](https://git-scm.com/docs/git-log#Documentation/git-log.txt---notesltrefgt). `git-notes` also supports these short forms. -- cgit v1.2.3-2-gb3c3