GPG+Git

Transcript

1. GPG+GIT @Lonnen

2. The Commit Object commit size tree c4ec5 parent a149e author

   Justin committer Matt Commit Message Commit Message Git commit object from the git book. Many of these properties are determined by the code.

3. commit size tree c4ec5 parent a149e author Justin committer Matt

   Commit Message Commit Message The Commit Object

4. commit size tree c4ec5 parent a149e author Justin committer Matt

   Commit Message Commit Message The Commit Object Unverified

5. Git Forgery :: Useful fix a spelling error without losing

   authorship information give credit for a code change when it is submitted via patch give credit where it is due, even if the author is not using your vcs

6. Git Forgery :: Juvenile insert subtle mispellings and make tofumatt

   the author change blame info so QA will file the bugs for someone else troll your coworkers. tofumatt -- http://mozillamemes.tumblr.com/post/19334029048/ tofumatt-gives-you-a-pep8-lesson

7. Git Forgery :: Malicious inject code into the repo, masquerading

   as a developer erase a contributor from project history after falling out

8. Crypto to the rescue Crypto fundamentals are beyond the scope

   of this lightning talk. Also, I lack a beard sufficient to give me credibility when explaining it.

9. Tags and commits can be signed and verified, cheaply. (after

   some set up) Git annotated tags (and commits in git >=1.7.9)

10. Set up GPG ...or some other PGP. Whatever. Use GPG.

    First thing is first: Pretty Good Protection: * Used for signing, encrypting, and decrypting texts (commonly e-mail) * Created in 1991 by Phil Zimmermann for secure messaging on BBS's * minimum 128 bits or greater security * The US Government considered it a weapon, Schneier called it close to Military grade. * Several proprietary implementations have been made * OpenPGP is a standard under active development and GNU Privacy Guard (GPG) is a widely used, open source implementation.

11. [user ~]$ brew install gnupg arch@*nix:~$ pacman -S gnupg C:\win>

    try www.gpg4win.org? How? most *nix environments have it installed already

12. > gpg --gen-key defaults are probably secure enough. do not

    lose your passphrase. Then? you can use this key for all sorts of crypto, mostly variants on the original idea -- signing documents. email. your will. git commits.

13. one key endorses another builds a decentralized “web of trust”

    associates you and your key helpful, but not strictly necessary Key Signing? key signing can give more confidence in your signature. beyond the scope of this talk, I think, but in case: * `gpg --fingerprint KeyID` * Meet face to face, verify each other's IDs * retrieve each other's public keys (keyserver? public posting?) * Check the fingerprint against the key `gpg --recv-keys KeyID` `gpg --fingerprint KeyID` * IFF the key matches the fingerprint you were given, sign it * email to the key owner * `gpg --export -a KeyID | mail -s "Your signed key" [email protected]'`

14. What about GIT? [user] signingkey = <gpg-key-id> Glad you asked.

    Crack open your git config and add: at this point you should have the key-id you just generated. let git know what key to use. .git/config or ~.gitconfig

15. What about GIT? Now, instead of: Use: `git tag -a

    tag_name sha` `git tag -s tag_name sha` alternatively, use `-u <gpg-key-id` tags can point to any object, usually commits

16. What about GIT? Now, instead of: Use: `git commit` `git

    commit -S`

17. Should I sign every commit then?

18. Should I sign every commit then? probably not. any commits

    reachable from the signed object (in the linear history of most Moz projects, this means commits before but not after) can be trusted because they cannot be altered without breaking the signature on the object.

19. Should I sign every commit then? probably not. (The Socorro

    team signs release tags only.) signing everything adds little extra security, introduces extra complexity, could potentially mess with your workflow. Make signing releases part of your release process and you’ll get most of the coverage.

20. Verification Export your key to share: $ gpg --armor --export

    > pubKey $ gpg import pubKey Import someone else’s key: $ gpg --list-keys Make sure you’ve got it: you will need the other person’s gpg key to verify any signatures

21. Verification (Optional) Sign it: $ gpg --edit-key [email protected] Command> fpr

    Command> sign you sure? Command> y enter passphrase: Command> quit Save changes? y export the key and send it back after signing?

22. Verification $ git tag -v v2.5 object 2cf3b9cdfc4635b46c5c2d9405ed85ef10969e9f type commit

    tag v2.5 tagger Lonnen <[email protected]> 1331229724 -0800 bug 733931 - push 2.5 release gpg: Signature made Thu Mar 8 10:02:55 2012 PST using RSA key ID D3F36BCF gpg: Good signature from "Chris Lonnen (Knight Errant) <[email protected]>" -or- $ git log --show-signature requires having the correct public key in your GPG keychain to verify the signature.

23. Questions? @Lonnen [email protected]

24. None
25. None
26. None
27. None
28. None
29. None
30. None
31. None
32. None
33. None