forked from cheng/wallet
Obsoleted by Git now implementing its own trust model
so my elaborate workarounds of gpg's trust model are rendered irrelevant and stupid.
This commit is contained in:
parent
a88fc58e71
commit
90ac55f30a
@ -83,6 +83,18 @@ It will, however, also implement signed commits, insist that you have `gpg` on
|
||||
because [cryptographic software is under attack] from NSA
|
||||
entryists and shills, who seek to introduce backdoors.
|
||||
|
||||
[has its own trust model based on *ssh* and gpg keys]:https://git-scm.com/docs/git-config
|
||||
{target="_blank"}
|
||||
|
||||
〔Note that this has been obsoleted and needs to be rewritten
|
||||
since git now [has its own trust model based on *ssh* and gpg keys]
|
||||
and the file `gpg.ssh.allowedSignersFile`,
|
||||
which should be in a repository that only allows signed commits.
|
||||
|
||||
Git now has a bunch of hooks that are accessed through config entries
|
||||
starting with `gpg.` that potentially allow us to supply zooko names
|
||||
for git signed commits.〕
|
||||
|
||||
This may be inconvenient if you do not have `gpg` installed and set up.
|
||||
|
||||
It also means that subsequent pulls and merges will require you to have `gpg `trust the key `public_key.gpg`, and if you submit a pull request, the puller will need to trust your `gpg` public key.
|
||||
|
@ -68,6 +68,18 @@ this happening all the time in cryptographic products.
|
||||
|
||||
# Code will be cryptographically signed
|
||||
|
||||
[has its own trust model based on *ssh* and gpg keys]:https://git-scm.com/docs/git-config
|
||||
{target="_blank"}
|
||||
|
||||
〔Note that this has been obsoleted and needs to be rewritten
|
||||
since git now [has its own trust model based on *ssh* and gpg keys]
|
||||
and the file `gpg.ssh.allowedSignersFile`,
|
||||
which should be in a repository that only allows signed commits.
|
||||
|
||||
Git now has a bunch of hooks that are accessed through config entries
|
||||
starting with `gpg.` that potentially allow us to supply zooko names
|
||||
for git signed commits.〕
|
||||
|
||||
Of necessity, we will rest our developer identities on GPG keys, until we
|
||||
can eat our own dogfood and use our own system's cryptographic keys.
|
||||
Login identities shall have no password reset, because that is a security
|
||||
@ -201,36 +213,58 @@ if you add the recommended repository configuration defaults to your local repos
|
||||
git config --local include.path ../.gitconfig
|
||||
```
|
||||
|
||||
This will implement signed commits and will insist that you have `gpg` on your path, and that you have cohfigured a signing key in your local config, and will refuse to pull updates that are signed by a gpg key that you have not locally trusted.
|
||||
This will implement signed commits and will insist that you have `gpg` on your path,
|
||||
and that you have configured a signing key in your local config.
|
||||
|
||||
This may be inconvenient if you do not have `gpg` installed and set up.
|
||||
|
||||
It also means that subsequent pulls and merges will require you to have `gpg `ltrust the key `public_key.gpg`, and if you submit a pull request, the puller will need to ltrust your `gpg` public key.
|
||||
|
||||
`.gitconfig` adds several git aliases:
|
||||
|
||||
1. `git utcmt` to do a commit without recording your timezone in the git history
|
||||
1. `git lg` to display the gpg trust information for the last few commits.
|
||||
For this to be useful you need to import the repository public key
|
||||
`public_key.gpg` into gpg, and locally sign that key.
|
||||
`public_key.gpg` into gpg, and `‑‑lsign` that key.
|
||||
1. `git graph` to graph the commit tree with signing status
|
||||
1. `git alias` to display the git aliases.
|
||||
|
||||
To only pull signed commits from people you have listed:
|
||||
|
||||
```bash
|
||||
# To verify that the signature on future pulls is
|
||||
# unchanged.
|
||||
git config merge.verifySignatures true
|
||||
gpg --import public_key.gpg
|
||||
gpg --lsign 096EAE16FB8D62E75D243199BC4482E49673711C
|
||||
```
|
||||
|
||||
We ignore the Gpg Web of Trust model and instead use the Zooko
|
||||
We ignore the Gpg Web of Trust model, and instead use the Zooko
|
||||
identity model.
|
||||
|
||||
We use Gpg signatures to verify that remote repository code
|
||||
is coming from an unchanging entity, not for Gpg Web of Trust. Web
|
||||
of Trust is too complicated and too user hostile to be workable or safe.
|
||||
No one ever used it in the intended manner.
|
||||
|
||||
Never --sign any Gpg key related to this project. --lsign it.
|
||||
The web of trust model was written around email, to protect against physhing and
|
||||
spearphysh attacks. And who uses email for discussions and coordination these days?
|
||||
That was useful in back in the days when when everything important was happening
|
||||
on mailing lists like the cypherpunks mailing list. But even back in the day
|
||||
the web of trust model had too many moving parts to be very useful. In
|
||||
practice people only used Zooko identity, and Web of Trust was a cloud
|
||||
of confusing complexity and user hostile interface on top of Zooko identity.
|
||||
What gpg identity is primarily used for in practice is to make sure you
|
||||
are getting the latest release from the same repository managed by the same person as
|
||||
you got the previous release - which is Zooko identity, not Web of Trust
|
||||
identity, and has no real relationship to email. Zooko identity is about
|
||||
constancy of identity, Web of Trust is about rightful use of email
|
||||
addresses. Web of trust was a true names mechanism, and today no one
|
||||
speaks the truth under their true name.
|
||||
|
||||
Web of trust was designed for a high trust society - but in a high trust
|
||||
society you don't need it, and in a low trust society, the name servers were
|
||||
too vulnerable to enemy action, and died, leaving the Web of Trust user
|
||||
interface in every installed copy of gpg a useless obstacle to people
|
||||
trying to use gpg.
|
||||
|
||||
Never `‑‑sign` any Gpg key related to this project. `‑‑lsign` it.
|
||||
|
||||
`gitconfig` disallows merges unless you have told `gpg` to trust the
|
||||
public key corresponding to the private key that signed the tip of
|
||||
|
Loading…
Reference in New Issue
Block a user