Commit Signing with GPG or SMIME?

Question

Commit Signing with GPG or SMIME?

glennawatson opened this issue 5 years ago · comments

On the ReactiveUI project we been asking our maintainers to use ideally SMIME certificate signing with a X509 certificate, or GPG. Some of us have been using yubikeys.

This adds a extra layer of security for us since we can have extra confidence with the SMIME certificate especially that a real human is involved, and the private key in theory would only live on the local users PC so if a commit isn't signed and it's coming from a maintainer we will be immediately suspect.

Also if SMIME x509 certificate signing is done it'll allow external users to verify that at least some human has had their ID checked by the signing authority etc.

Wouldn't this be a good idea for the higher level tiers?

Ben Adams · Answer 1 · Fri Sep 27 2019 06:07:49 GMT+0800 (China Standard Time)

Does it limit external contributors?

For example coreclr/corefx/aspnet doesn't require signed commits from external contributors.

I suppose the question is can the difference between a merge commit (for PR) vs commit in PR be differentiated and enforced?

Glenn · Answer 2 · Fri Sep 27 2019 06:11:11 GMT+0800 (China Standard Time)

https://help.github.com/en/articles/about-required-commit-signing

So for us we just have maintainers/administrators override the signed commit requirement for non-maintainers.

Contributors on forks aren't required to have signed commits, only local branch commits.

Rich Lander · Answer 3 · Fri Sep 27 2019 06:21:14 GMT+0800 (China Standard Time)

These idea is aligned with the goals of level 4. I think it makes sense to add as a candidate that others can give feedback on. Alternatively, we could have an "optional best practices" section that maybe could inform a new level at a later date.

Jon Galloway · Answer 4 · Fri Sep 27 2019 06:45:26 GMT+0800 (China Standard Time)

Agree, I like the idea of having recommended best practices and including this. It's still a little difficult to set up, and shouldn't be a blocker.

Side note: @glennawatson's GitSMimeSign is amazing, highly recommended.

Immo Landwerth · Answer 5 · Sat Sep 28 2019 02:28:34 GMT+0800 (China Standard Time)

I think one thing we should do for sure is:

Ask that releases have corresponding annotated tags.
Ask that those are signed tags.

Claire Novotny · Answer 6 · Sat Sep 28 2019 02:29:50 GMT+0800 (China Standard Time)

How do you sign a tag? I use the GitHub Release task in pipelines, which creates the release and tags the source. It doesn't sign anything.

Glenn · Answer 7 · Sat Sep 28 2019 02:39:24 GMT+0800 (China Standard Time)

GitHub I believe bases it off the commit the tag is generated from.

Glenn · Answer 8 · Sat Sep 28 2019 02:39:58 GMT+0800 (China Standard Time)

Eg it will show verified if the commit is signed.

Claire Novotny · Answer 9 · Sat Sep 28 2019 02:43:27 GMT+0800 (China Standard Time)

Okay, sure, I see it show verified based on the commit:

But tags in git are easily deleted and can be changed to a different commit, so I'm not sure what "signing the tag" accomplishes? All merge/squash commits from PR's from GitHub are effectively signed by GitHub anyway, so if everything is done from PR's, then wouldn't this always be true?

Glenn · Answer 10 · Sat Sep 28 2019 02:48:13 GMT+0800 (China Standard Time)

Well if you do merge pr you still have the commits from the other users that would ideally need to be signed.

Squash merges will be signed by GitHub if every commit inside the pr is verified.

Claire Novotny · Answer 11 · Sat Sep 28 2019 02:52:15 GMT+0800 (China Standard Time)

I don't think we can enforce that commits from other users are signed, it's too high a bar for contributors. I think most maintainers are happy to get any reasonable PR, asking someone to sign their commits would discourage people.

Glenn · Answer 12 · Sat Sep 28 2019 02:55:25 GMT+0800 (China Standard Time)

Yep agreed hence why I would limit it just to maintainers.

Glenn · Answer 13 · Sat Sep 28 2019 03:02:54 GMT+0800 (China Standard Time)

I think that's also where Jon is probably right where we have a recommended best practices since having this as a requirement for all projects might not be feasible. I will open a separate issue today for a best practice repository.

Glenn · Answer 14 · Sat Sep 28 2019 03:09:30 GMT+0800 (China Standard Time)

Btw we been using forced signed commits for a little bit for rxui with success. External contributors fork off where signed commits aren't required then this only enforces it for users who have access to local branches sign which are the maintainers in our case. Does require someone with admin powers to merge external non signed commits though

Immo Landwerth · Answer 15 · Sat Oct 05 2019 08:28:29 GMT+0800 (China Standard Time)

How do you sign a tag? I use the GitHub Release task in pipelines, which creates the release and tags the source. It doesn't sign anything.

I can't talk to GitHub but in Git that's how you sign a tag:

$ git tag -s -m"tagging version 1.0" v1.

(it's the -s argument that does the signing)

The reason why you should sign tags is explained here:

The point of signing a tag is that now anyone who has your public key can prove that you have approved that particular commit as being that particular version of the program. If they happen to trust you as being the official source of releases for that package, then they know that they got an official version of that package, not some random version that might have been backdoored by an attacker or corrupted in transit.

Glenn · Answer 16 · Sat Oct 05 2019 08:30:30 GMT+0800 (China Standard Time)

Worth noting that Jon Galloway and some others have been using https://github.com/glennawatson/gitsmimesign