sofistes.net

sofistes.net

About sofistes.net

This blog is a way for me to collect interesting stuff into one place. I'm not planning on making this a confession booth of any sort, just post random interesting web sites if I feel the need to comment on them (otherwise I just add them to my del.icio.us page) and comment on other stuff that is worth it (books, TV programs, games, CD's etc).

Knowing myself I doubt I will be updating this too often but we'll see...

Using signed tags with git

All sorts of geeky stuffPosted by Marko Poutiainen Thursday, May 07 2009 17:09:27
Another thing I tried out with git was signing tags with gpg keys. Things would have been a lot easier if I knew more of git or gpg - I'm not yet too familiar with either. Obviously I have used encryption with emails before, but since this has been with Outlook, the whole thing works a little bit differently (the interface for key ring handling is in Outlook).

So here's how you can do it:

1. The user creates a gpg key with gpg --gen-key.
2. Then he exports the public key with gpg --armor --export user@email.com > mypk
3. He sends the public key file to you for you to save it in the git user's keyring (assuming you are using gitosis). You then import it with gpg --import mypk. It might also be a good idea to sign this key with gpg --edit-key user@email.com.
4. Next you need to add the verification somewhere in the git hooks, pre-receive might be the best bet. Checking the validity is done with git tag -v "tag_id". The code could be something like (I haven't done this yet myself):

#!/bin/perl
while(<>)
{
m/(.+) (.+) refs\/tags\/(.+)/;
my $ret = open(FH, "-|", "git-tag", "-v", $3);
while(<FH>)
{
# Check that output shows the signature is good
}

And hey presto! You have just made sure that your system only accepts tags signed by people you have accepted.

  • Comments(0)

Fill in only if you are not real





The following XHTML tags are allowed: <b>, <br/>, <em>, <i>, <strong>, <u>. CSS styles and Javascript are not permitted.