From 0da8a6e3d85a98e38b1abc2499f7e7b3fe5d9534 Mon Sep 17 00:00:00 2001 From: Wolfgang Müller Date: Sat, 22 May 2021 13:22:34 +0200 Subject: posts: Add guide to verify a commit from a tarball When generating archives, git-archive(1) puts the commit ID in the global extended pax header. Therefore, an interesting side effect of signing tarballs generated with git-archive(1) is that we also implicitly sign a commit. Whilst we don't expect anyone to go through the hurdles needed to verify such a commit signature, make sure to document this case anyway. --- posts/verify-with-signify.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'posts') diff --git a/posts/verify-with-signify.md b/posts/verify-with-signify.md index 5103ccc..0fd22c4 100644 --- a/posts/verify-with-signify.md +++ b/posts/verify-with-signify.md @@ -56,4 +56,30 @@ the `sha256sum` tool to only verify the integrity of the download: $ tail -n1 .asc | sha256sum -c : OK +### Verification of the corresponding commit + +Every tarball hosted here contains its corresponding commit ID in the global +extended pax header[^2]. Therefore, if a tarball is signed, it may be used to verify +a commit and all of its ancestors. + +To do so, place the tarball in the cloned git repository first. If you already +have the detached signature, you may verify the tarball normally like shown +above. Otherwise, you can fetch the signatures directly from the repository: + + $ git fetch origin refs/notes/signatures/tar.gz:refs/notes/signatures/tar.gz + +Now you can verify the tarball like so: + + $ git notes --ref=signatures/tar.gz show | signify -Cp release.pub -x - + Signature Verified + : OK + +Once verified, you can extract the commit using +[`git-get-tar-commit-id(1)`](https://git-scm.com/docs/git-get-tar-commit-id) and +show it: + + $ gzip -d -c | git get-tar-commit-id | xargs git show + [^1]: If you are interested in how this is put together, check out [this](signify-cgit) post. +[^2]: [`git-archive(1)`](https://git-scm.com/docs/git-archive#_description) puts + it there. -- cgit v1.2.3-2-gb3c3