Geek Answers Handbook

Robust development path in git with signatures

I would like to create a reliable path for software development. This means that each change in the code must be signed by the author and one reviewer before accepting them. These change signatures must be verifiable at the time of release, or there must be some other means of ensuring that the repository cannot be tampered with or added additional changes.

The version control system I expect to use for this is git, but other options are also accepted. Signing can be done through GnuPG or SSL Certificates.

The workflow that I think of would be something like this:

  • The currently verified trunk is forked.
  • Changes are developed in the industry by one or more developers.
  • One or more developers sign the changes made by the branch
  • Feedback checks and verifies changes.
  • Reviewer signs changes made by branch
  • The branch is merged into the current verified trunk

The merger should not be impeccable, for example, that it was not considered that the changes should have been uncontrollable for the trunk - this is before release, there should be a way to check if there are any unconfirmed (unsigned) changes in the trunk. And in general, interference should not be prevented, only detected.

I would like to give a brief guide on setting up and setting up each operation. As soon as I get a few pointers, I can figure out the features myself.

Also, I already know the technical information about git tag -s ", but I'm not sure how to apply it to this particular problem.

+6
git version-control gnupg digital-signature
source share
3 answers

Changes will not be signed until you tick. Everything that up to this point can be checked by the author or other out-of-band mechanism, but not from git.

git can verify the legacy of the changes, but only a signed tag can verify the changes themselves.

For your workflow, you can simply tag a lot.

+2
source share

Git is a good candidate because:

  • all commits are already signed
  • the SHA1 key for each commit is enough to make sure that the entire repo has not been changed.
  • Git tag -s can be used to sign a commit that didn't ( git tag -m more explicit )

So:

  • The current checked trunk is forked.
      git checkout -b tag_for_last_verified_trunk_content test # branch test
  • Changes are developed in the industry by one or more developers.
      [work ...] git commit -s -m "dev1 comment" ...

  • One or more developers sign the changes made by the branch

    Already done with their commits, adding a signature line at the end of the commit message: see this page for an explanation of the signed one .

      Signed-off-by: user name

  • Feedback checks and verifies changes

      git tag -m "testing" testing # refer to current commit, 
                                 allowing dev to go on with further changes
  • Reviewer signs changes made by branch
      git tag -m "tested" tested testing # put a tag on the same SHA1 than 
                                      the "testing" tag
  • The branch is merged into the current verified trunk
      git checkout trunk & git merge tested

Cyryl Plotnicki-Chudyk mentions in the comments that since git 1.7.9 (January 2012, almost 2 years after this answer), you can GPG-sign any commit you want using git commit -S .
(See commit ba3c69a9 recently updated in commit df45cb3 )

0
source share

You can sign your tag with your GPG key with the -s option in the git tag -s v0.1.0 :

-s

  Make a GPG-signed tag, using the default e-mail address key

But you cannot sign up for a commit.

0
source share

More articles:


All Articles