[RFC] Proposal for a new config-based git signing interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

This is a follow-up on my previous emails related to the proposal of a new signing interface:

https://public-inbox.org/git/CACi-FhDeAZecXSM36zroty6kpf2BCWLS=0R+dUwuB96LqFKuTA@xxxxxxxxxxxxxx/T/#r43cbf31b86642ab5118e6e7b3d4098bade5f5a0a
https://public-inbox.org/git/Z2XOTcGuVovMKhcdrrO08KWI2I7L9s0CyFITvvj3jkmGTQPB6FkCiyOtTm6GdYWbnf25dsPD8M08kDCuD37EE1B-sxHQ3se9Kn1zVBrCPZw=@pm.me/T/#u
https://public-inbox.org/git/N31G34oKnfr3MVifk42-Kt3YtM_3fHuCp3V1cpGOK5f1jn1vbg1TaSCy9ukI-YD8qRfu4xMcHcPc78xFE0MSwJQWNrSvuQuer9wSNugNRLg=@pm.me/T/#u
https://public-inbox.org/git/8AMhjK19PJ35u3LCR57IvtAzOBN5bKK2vUn0Ns-4mmZzK9U14W5CGW5R8aITNXBm78J4Z7nd09RTVKW2pGaB4PnF7p2PireF_vzRST8DngE=@pm.me/T/#u
https://public-inbox.org/git/0oTOrSdJdIaEfs3NVkfRmLxjYRvUPkucwwaXPuhCjS2QL3ztRJLfIlBkcpjSRiZQaY70SKSkg8_w20rxnuD4Vu3IbRcGOZM-fht8G7ySEHk=@pm.me/T/#u
https://public-inbox.org/git/T4zS1hogOjySpdv7lDjVaZV83KKSeK9fx8m33SIo-e_BH4RtKcm67btmGzTPeflbRnQr7mWjTpObB0hCkX8VkGZElkQbLEgbrETg6Aq4nUg=@pm.me/T/#u
https://public-inbox.org/git/74R10RrvOffzj20d_Owd_1WFMh1bWq8mIhEEBSzbhkHfbvW5BLHZj-L-AgHYnpqkxgZdCfW5b72GoIvKHucQz7tdiGZEzietp0IKpU1_wuI=@pm.me/T/#u

The main feedback we received from the previous RFCs was that the drivers for external signing tools were still written in C and that we should go more for a configuration based interface.

I'v been thinking about how to go about it and would love to have your feedback on my proposed approach:

- Implement updated user configuration to define signing tools
- Implement a tool-agnostic signing interface in C code
- Add the possibility to use bash helper scripts to drive additional tools in case the default interface don't work as intended.
- The same configuration aliases can be passed to command line arguments

You can find below a detailed description of the proposed config and command line options:

https://hackmd.io/ZHsddYXkSmyb6rYajdyGLg
https://hackmd.io/yxS9nfiQSvmRZntcfnHOGQ

The configuration part would look like this:

```
[signing]
  format = openpgp

[signing "openpgp"]
  program = "/usr/bin/gpg"
	keyring = "--keyring pubring.kbx --no-default-keyring"
	identity = "--local-user \"Jane Committer <jane@xxxxxxxxxxx>\""
	sign = "--sign --status-fd=2 --detach-sign --ascii"
	verify = "--verify --status-fd=2"

[signing "openpgp.signature"]
	regex = "^-----BEGIN PGP SIGNATURE-----$[^-]*^-----END PGP SIGNATURE-----$"
	multiline = true
```

The equivilent command line to do a digitally signed commit looks like:

```
git commit \
  --sign
	--signing-format=openpgp \
	--signing-openpgp-program="/usr/bin/gpg" \
	--signing-openpgp-keyring="--keyring pubring.kbx --no-default-keyring" \
	--signing-openpgp-identity="--local-user \"Jane Committer <jane@xxxxxxxxxxx>\"" \
	--signing-openpgp-sign="--sign --status-fd=2 --detach-sign --ascii"
```

Cheers,


Ibrahim






[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux