forked from cheng/wallet
Obsoleted by Git now implementing its own trust model
so my elaborate workarounds of gpg's trust model are rendered irrelevant and stupid.
This commit is contained in:
parent
a88fc58e71
commit
90ac55f30a
@ -83,6 +83,18 @@ It will, however, also implement signed commits, insist that you have `gpg` on
|
|||||||
because [cryptographic software is under attack] from NSA
|
because [cryptographic software is under attack] from NSA
|
||||||
entryists and shills, who seek to introduce backdoors.
|
entryists and shills, who seek to introduce backdoors.
|
||||||
|
|
||||||
|
[has its own trust model based on *ssh* and gpg keys]:https://git-scm.com/docs/git-config
|
||||||
|
{target="_blank"}
|
||||||
|
|
||||||
|
〔Note that this has been obsoleted and needs to be rewritten
|
||||||
|
since git now [has its own trust model based on *ssh* and gpg keys]
|
||||||
|
and the file `gpg.ssh.allowedSignersFile`,
|
||||||
|
which should be in a repository that only allows signed commits.
|
||||||
|
|
||||||
|
Git now has a bunch of hooks that are accessed through config entries
|
||||||
|
starting with `gpg.` that potentially allow us to supply zooko names
|
||||||
|
for git signed commits.〕
|
||||||
|
|
||||||
This may be inconvenient if you do not have `gpg` installed and set up.
|
This may be inconvenient if you do not have `gpg` installed and set up.
|
||||||
|
|
||||||
It also means that subsequent pulls and merges will require you to have `gpg `trust the key `public_key.gpg`, and if you submit a pull request, the puller will need to trust your `gpg` public key.
|
It also means that subsequent pulls and merges will require you to have `gpg `trust the key `public_key.gpg`, and if you submit a pull request, the puller will need to trust your `gpg` public key.
|
||||||
|
@ -68,6 +68,18 @@ this happening all the time in cryptographic products.
|
|||||||
|
|
||||||
# Code will be cryptographically signed
|
# Code will be cryptographically signed
|
||||||
|
|
||||||
|
[has its own trust model based on *ssh* and gpg keys]:https://git-scm.com/docs/git-config
|
||||||
|
{target="_blank"}
|
||||||
|
|
||||||
|
〔Note that this has been obsoleted and needs to be rewritten
|
||||||
|
since git now [has its own trust model based on *ssh* and gpg keys]
|
||||||
|
and the file `gpg.ssh.allowedSignersFile`,
|
||||||
|
which should be in a repository that only allows signed commits.
|
||||||
|
|
||||||
|
Git now has a bunch of hooks that are accessed through config entries
|
||||||
|
starting with `gpg.` that potentially allow us to supply zooko names
|
||||||
|
for git signed commits.〕
|
||||||
|
|
||||||
Of necessity, we will rest our developer identities on GPG keys, until we
|
Of necessity, we will rest our developer identities on GPG keys, until we
|
||||||
can eat our own dogfood and use our own system's cryptographic keys.
|
can eat our own dogfood and use our own system's cryptographic keys.
|
||||||
Login identities shall have no password reset, because that is a security
|
Login identities shall have no password reset, because that is a security
|
||||||
@ -201,36 +213,58 @@ if you add the recommended repository configuration defaults to your local repos
|
|||||||
git config --local include.path ../.gitconfig
|
git config --local include.path ../.gitconfig
|
||||||
```
|
```
|
||||||
|
|
||||||
This will implement signed commits and will insist that you have `gpg` on your path, and that you have cohfigured a signing key in your local config, and will refuse to pull updates that are signed by a gpg key that you have not locally trusted.
|
This will implement signed commits and will insist that you have `gpg` on your path,
|
||||||
|
and that you have configured a signing key in your local config.
|
||||||
|
|
||||||
This may be inconvenient if you do not have `gpg` installed and set up.
|
This may be inconvenient if you do not have `gpg` installed and set up.
|
||||||
|
|
||||||
It also means that subsequent pulls and merges will require you to have `gpg `ltrust the key `public_key.gpg`, and if you submit a pull request, the puller will need to ltrust your `gpg` public key.
|
|
||||||
|
|
||||||
`.gitconfig` adds several git aliases:
|
`.gitconfig` adds several git aliases:
|
||||||
|
|
||||||
1. `git utcmt` to do a commit without recording your timezone in the git history
|
1. `git utcmt` to do a commit without recording your timezone in the git history
|
||||||
1. `git lg` to display the gpg trust information for the last few commits.
|
1. `git lg` to display the gpg trust information for the last few commits.
|
||||||
For this to be useful you need to import the repository public key
|
For this to be useful you need to import the repository public key
|
||||||
`public_key.gpg` into gpg, and locally sign that key.
|
`public_key.gpg` into gpg, and `‑‑lsign` that key.
|
||||||
1. `git graph` to graph the commit tree with signing status
|
1. `git graph` to graph the commit tree with signing status
|
||||||
1. `git alias` to display the git aliases.
|
1. `git alias` to display the git aliases.
|
||||||
|
|
||||||
|
To only pull signed commits from people you have listed:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# To verify that the signature on future pulls is
|
git config merge.verifySignatures true
|
||||||
# unchanged.
|
|
||||||
gpg --import public_key.gpg
|
gpg --import public_key.gpg
|
||||||
gpg --lsign 096EAE16FB8D62E75D243199BC4482E49673711C
|
gpg --lsign 096EAE16FB8D62E75D243199BC4482E49673711C
|
||||||
```
|
```
|
||||||
|
|
||||||
We ignore the Gpg Web of Trust model and instead use the Zooko
|
We ignore the Gpg Web of Trust model, and instead use the Zooko
|
||||||
identity model.
|
identity model.
|
||||||
|
|
||||||
We use Gpg signatures to verify that remote repository code
|
We use Gpg signatures to verify that remote repository code
|
||||||
is coming from an unchanging entity, not for Gpg Web of Trust. Web
|
is coming from an unchanging entity, not for Gpg Web of Trust. Web
|
||||||
of Trust is too complicated and too user hostile to be workable or safe.
|
of Trust is too complicated and too user hostile to be workable or safe.
|
||||||
|
No one ever used it in the intended manner.
|
||||||
|
|
||||||
Never --sign any Gpg key related to this project. --lsign it.
|
The web of trust model was written around email, to protect against physhing and
|
||||||
|
spearphysh attacks. And who uses email for discussions and coordination these days?
|
||||||
|
That was useful in back in the days when when everything important was happening
|
||||||
|
on mailing lists like the cypherpunks mailing list. But even back in the day
|
||||||
|
the web of trust model had too many moving parts to be very useful. In
|
||||||
|
practice people only used Zooko identity, and Web of Trust was a cloud
|
||||||
|
of confusing complexity and user hostile interface on top of Zooko identity.
|
||||||
|
What gpg identity is primarily used for in practice is to make sure you
|
||||||
|
are getting the latest release from the same repository managed by the same person as
|
||||||
|
you got the previous release - which is Zooko identity, not Web of Trust
|
||||||
|
identity, and has no real relationship to email. Zooko identity is about
|
||||||
|
constancy of identity, Web of Trust is about rightful use of email
|
||||||
|
addresses. Web of trust was a true names mechanism, and today no one
|
||||||
|
speaks the truth under their true name.
|
||||||
|
|
||||||
|
Web of trust was designed for a high trust society - but in a high trust
|
||||||
|
society you don't need it, and in a low trust society, the name servers were
|
||||||
|
too vulnerable to enemy action, and died, leaving the Web of Trust user
|
||||||
|
interface in every installed copy of gpg a useless obstacle to people
|
||||||
|
trying to use gpg.
|
||||||
|
|
||||||
|
Never `‑‑sign` any Gpg key related to this project. `‑‑lsign` it.
|
||||||
|
|
||||||
`gitconfig` disallows merges unless you have told `gpg` to trust the
|
`gitconfig` disallows merges unless you have told `gpg` to trust the
|
||||||
public key corresponding to the private key that signed the tip of
|
public key corresponding to the private key that signed the tip of
|
||||||
|
Loading…
Reference in New Issue
Block a user