On 24 Feb 2017, at 18:04, Owen O'Malley 
<omal...@apache.org<mailto:omal...@apache.org>> wrote:

I think gpg signing of commits is a good practice. It also strongly
discourages rebasing on master and release branches, which is also a good
thing. On ORC, we try to sign all of our commits.

.. Owen


good to know it works. What are the troublespots?


FWIW, I'm actually keeping the key and its signage on this little toy
https://www.yubico.com/product/y4/

which works except on the newly rebuilt macbook pro, the "Vieullez entre votre 
Pin"  prompts all appear in french. Either I fix that or I lean a bit of French 
I never knew before. No idea why



On Fri, Feb 24, 2017 at 3:36 AM, Steve Loughran 
<ste...@hortonworks.com<mailto:ste...@hortonworks.com>>
wrote:


For the next few days I'm experimenting with the -S option on signing
commits, which tells git to ask gpg to sign the commit, which will then
somehow get the little yubikey plugged into my laptop to do the signing

Because I've uploaded the public bit of the key to my github repo, Github
can authenticate that it really was me doing the commit

https://github.com/apache/hadoop/commit/9c22a91662af24569191ce45289ef8
266e8755cc

and, if i'm trusted in your keyring, a git log --show-signature

git log --show-signature 9c22a91662
commit 9c22a91662af24569191ce45289ef8266e8755cc
gpg: Signature made Fri 24 Feb 10:41:40 2017 GMT
gpg:                using RSA key 950CC3E032B79CA2
gpg: Good signature from "Steve Loughran 
<ste...@apache.org<mailto:ste...@apache.org><mailto:stev
e...@apache.org<mailto:e...@apache.org>>>" [ultimate]
Author: Steve Loughran 
<ste...@apache.org<mailto:ste...@apache.org><mailto:ste...@apache.org>>
Date:   Fri Feb 24 10:41:36 2017 +0000

   HADOOP-14114 S3A can no longer handle unencoded + in URIs. Contributed
by Sean Mackrory.

   (cherry picked from commit ff87ca84418a710c6dc884fe8c70947fcc6489d5)

You ca also use GPG to sign a tag, then use git verify-tag to check the
signature; this stops anyone being able to silently move a tag: you can
move a tag, but then it's signature is invalid

Will it help make our code and development process more secure? Not
really, not if our build depends on pulling down artfacts from random
places with an MD5 or SHA1 validation *at best*. And signing patches
doesn't magically make the code inside secure. But it does at least add
some chain of provenance to who actually put stuff in, rather than the
logged committer of any patch being whoever that user chose to declare
themselves to be.

I'm only doing this for the never-rebased branches, and of course when
something gets cherry picked, the signature becomes invalid. I'll decide
after a week or two whether its a viable process. The opinions/experience
of others would be useful here

-Steve

ps, key in question: https://pgp.mit.edu/pks/lookup?op=get&search=
0x950CC3E032B79CA2

Reply via email to