Re: gpg signing of commits

Mon, 06 Mar 2017 22:28:08 -0800 

Thanks Steve for starting the discussion.
Now I commit and cherry-pick patches with the -S option and have not faced any problems. 

-Akira

On 2017/02/24 20:36, Steve Loughran wrote:


For the next few days I'm experimenting with the -S option on signing commits, 
which tells git to ask gpg to sign the commit, which will then somehow get the 
little yubikey plugged into my laptop to do the signing

Because I've uploaded the public bit of the key to my github repo, Github can 
authenticate that it really was me doing the commit

https://github.com/apache/hadoop/commit/9c22a91662af24569191ce45289ef8266e8755cc

and, if i'm trusted in your keyring, a git log --show-signature

 git log --show-signature 9c22a91662
commit 9c22a91662af24569191ce45289ef8266e8755cc
gpg: Signature made Fri 24 Feb 10:41:40 2017 GMT
gpg:                using RSA key 950CC3E032B79CA2
gpg: Good signature from "Steve Loughran 
<ste...@apache.org<mailto:ste...@apache.org>>" [ultimate]
Author: Steve Loughran <ste...@apache.org<mailto:ste...@apache.org>>
Date:   Fri Feb 24 10:41:36 2017 +0000

    HADOOP-14114 S3A can no longer handle unencoded + in URIs. Contributed by 
Sean Mackrory.

    (cherry picked from commit ff87ca84418a710c6dc884fe8c70947fcc6489d5)

You ca also use GPG to sign a tag, then use git verify-tag to check the 
signature; this stops anyone being able to silently move a tag: you can move a 
tag, but then it's signature is invalid

Will it help make our code and development process more secure? Not really, not 
if our build depends on pulling down artfacts from random places with an MD5 or 
SHA1 validation *at best*. And signing patches doesn't magically make the code 
inside secure. But it does at least add some chain of provenance to who 
actually put stuff in, rather than the logged committer of any patch being 
whoever that user chose to declare themselves to be.

I'm only doing this for the never-rebased branches, and of course when 
something gets cherry picked, the signature becomes invalid. I'll decide after 
a week or two whether its a viable process. The opinions/experience of others 
would be useful here

-Steve

ps, key in question: 
https://pgp.mit.edu/pks/lookup?op=get&search=0x950CC3E032B79CA2





---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org























					Reply via email to