On 17.06.2022 12:24, Alejandro Colomar wrote:
Hi,
In Kernel Recipes this month [1], Greg mentioned that
git-send-email(1) could be used together with gpg(1) to verify
authenticity of the sender.
I think he is talking about GPG signing the email containing the patch and
is not referring to git commit signing.
Using GPG to sign your whole email adds trust to a whole lot more than just
the sent patch. It can verify the authenticity of the sender, and all the
rest of the emails content and follow up discussions / review.
Including the commits signature in the email might have some benefit but I'm
not sure about how much. It could decouple the trust of the patches
integrity of the transport used to publish it. For example you could forward
/ copy a patch and the recipient could still verify the original authors
signature.
Konstantin Ryabitsev has done some work in this area especially for kernel
development by using email headers:
https://people.kernel.org/monsieuricon/end-to-end-patch-attestation-with-patatt-and-b4
https://github.com/mricon/patatt
I couldn't find any documentation about it, and if I create a patch
from a commit that was signed (-S), the PGP signature is not part of
the patch.
So, is there a way to PGP-authenticate patches?
If not, could this be added to git(1)?
$ git --version
git version 2.36.1
Thanks,
Alex
[1]: <https://www.youtube.com/watch?v=nhJqaZT94z0>
- Start of thread Q&A in 1:56:30.
- Greg's answer starts in 1:56:57
- Specific git-send-email(1) part in 1:57:50
--
Alejandro Colomar
<http://www.alejandro-colomar.es/>
