* Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > That said, even the "BEGIN PGP SIGNED MESSAGE" things are a massive > pain in the butt. We need to automate this some sane way, both for > the sender and for the recipient. The most practical form would be if Git supported such oneliner pull requests: git pull git://foo.com bar.branch \ --pull-sha1 0acf00014bcfd71090c3b0d43c98e970108064e4 \ --gpg-by: "Ingo Molnar <mingo@xxxxxxxxxx>" \ --gpg-sig: 8a6f134afd1d212fe21345 maintainers could just paste them into a shell and it would abort if it's not trusted. The maintainer verifies the visible, 'Ingo Molnar' bit. The 8a6f134afd1d212fe21345 is a signed-by-Ingo-Molnar version of this content: git://foo.com bar.branch 0acf00014bcfd71090c3b0d43c98e970108064e4 And Git would verify that what ends up being pulled is indeed 0acf00014bcfd and also verifies that it was signed by me. [ If we are extra diligent/paranoid then beyond the sha1 we might even GPG sign the shortlog, or even the full raw log of all commits leading to the sha1: this introduces some Git shortlog and patch formatting version dependency though. Git could also double check foo.com's DNS coherency, or check it against a known-trusted whitelist of domain names specified in the maintainer's .gitconfig, as an extra layer. ] Doing it in this form would remove all the mail formatting madness - one could paste such a pull request into a shell straight away, from HTML email, from text email, from MIME email, etc. In fact i would trust such a Git based solution far more than any opaque, invisible tool that claims to have checked a signature with cooperation of my mail client (ha!). The only somewhat non-obvious bit is that Git should be *very* careful about its key ID and signature parsing strategy, to protect against social engineering attacks. For example neither this: --gpg-by: "Ingo Molnar <mingo@xxxxxxxxxx>" nor this: --pgp-by: "Ingo Molnar <mingo@xxxxxxxxxx>" malicious pull request should slip through in any fashion: - Git should only use keys that are in your ring of trust - not pull keys from the public keyring automatically and just check coherency of the pull request or such. [I'm sure people will be tempted to have such a feature - but that temptation should be resisted.] - Git should abort the moment it sees an unknown option Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-ide" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html