[ANNOUNCE] git-sign, simple scripts to generate and verify securely signed Git checkouts
Christian Jaeger
chrjae at gmail.com
Mon Mar 13 14:22:05 GMT 2017
Hi
Mostly as a proof of concept, I've created two scripts to sign and
verify Git checkouts (I'm saying checkouts since it (both for
simplicity, and probably trust) is based on the working directory
contents, not the tree referred to by the signed commit). Like some
other such solutions, this adds secure hashes to the signed tag
message. There are two drawbacks and one advantage versus other
solutions:
- meant for small repositories only (each file in the repository takes
up a line in the tag message)
- relatively hacky, e.g. newlines in file names may be problematic,
doesn't currently use gpg's --status-fd or --with-colons, and doesn't
check git config
+ easily verifiable scripts, checking can even be done manually (hence
no need for casual users to (blindly) trust third party code)
https://github.com/pflanze/git-sign
Christian.
More information about the git-announce
mailing list