Harness the power of signify(1) to sign arbitrary git objects

Overview

git-signify

A tool to sign arbitrary objects in a git repository.

Generating keys

Signing keys can be generated with signify, from the OpenBSD project.

$ signify -G -p newkey.pub -s newkey.sec

If you do not wish to encrypt your keys, pass the -n flag to the command line of signify.

Basic usage

This program keeps track of signatures made by a keypair with a given fingerprint as git references. References can be fetched from and pushed to a remote.

$ git signify pull origin
$ git signify push origin

Verification can be done with git signify verify. For example, to verify a release of git-signify itself:

$ git pull --tags
$ git signify pull
$ git signify verify -k <(curl -sfL https://gandas.us.to/keys/git.pub) v0.3.0

To sign git revisions, run something akin to:

$ git signify sign -k <secret-key> v0.3.0

In-depth

Brief overview of how this program works

git-signify writes a tree object to some git repository containing the following blobs:

100644 blob aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa	object
100644 blob bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb	signature

Where object stores the raw (20 byte) object id of some git object to be signed, and signature stores the signature over object. The tree's hash is returned by git signify raw sign.

Storing signatures in tags

To store signatures in tags, one must use the "raw" mode of git-signify. The raw flags supported by this program and their respective documentation can be checked by running the following commands:

$ git signify raw -h
$ git signify raw sign -h
$ git signify raw verify -h

The suggested approach to store signatures in tags is the following:

$ SIGNATURE_TREE=$(git signify raw sign -k $SECRET_KEY $OBJECT_TO_SIGN)
$ SIGNATURE_COMMIT=$(git commit-tree $SIGNATURE_TREE -m Signature)
$ git tag signature-$OBJECT_TO_SIGN $SIGNATURE_COMMIT
$ git push --tags

Verification can then be done with:

$ git signify raw verify -p -k $PUBLIC_KEY $SIGNATURE_COMMIT^{tree}
You might also like...
a test harness for embedded devices

defmt-test a test harness for embedded devices This crate has been moved to the defmt repository Support defmt-test is part of the Knurling project, F

Decode, explore, and sign JWTs
Decode, explore, and sign JWTs

JWT Explorer A utility for inspecting, modifying, and attacking JWTs. Supports Windows and Linux and probably also works on macOS but this has not bee

OpenID Connect Single Sign-On Identity Provider

Rauthy CAUTION: There has not been any third party security audit for this project. Use this software at your own risk! INFO: This project is currentl

xyz is a chat platform where people sign up, play a matching game, and say goodbye
xyz is a chat platform where people sign up, play a matching game, and say goodbye

xyz is an asynchronous chat and web service What you need Docker Desktop 🐳 Cargo (Rust package manager) 📦 Clone our project Follow the steps below t

A Rust CLI tool that helps you enforce Git policies through Git hooks both server and client side

GitPolicyEnforcer This is a command line utility written in Rust, that helps you utilize Git hooks, to enforce various policies. It currently supports

git-cliff can generate changelog files from the Git history by utilizing conventional commits as well as regex-powered custom parsers.⛰️
git-cliff can generate changelog files from the Git history by utilizing conventional commits as well as regex-powered custom parsers.⛰️

git-cliff can generate changelog files from the Git history by utilizing conventional commits as well as regex-powered custom parsers. The changelog template can be customized with a configuration file to match the desired format.

First Git on Rust is reimplementation with rust in order to learn about rust, c and git.

First Git on Rust First Git on Rust is reimplementation with rust in order to learn about rust, c and git. Reference project This project refer to the

A git sub-command to view your git repository in the web browser
A git sub-command to view your git repository in the web browser

git-view A git sub-command to view your git repository in the web browser! About Are you also frustrated from moving your hands away from the keyboard

Git Explorer: cross-platform git workflow improvement tool inspired by Magit
Git Explorer: cross-platform git workflow improvement tool inspired by Magit

Gex Git workflow improvement CLI tool inspired by Magit. This project is still under initial development, but I am actively dogfooding it and features

Simulation tools for animating interacting soft objects

Softy Simulation tools and libraries for animating rigid and soft objects (including cloth) subject to frictional contacts against smooth implicit sur

A stack-allocated box that stores trait objects.

This crate allows saving DST objects in the provided buffer. It allows users to create global dynamic objects on a no_std environment without a global allocator.

Vue, React, Solid, Angular, Svelte, and Liquid From JS Objects.

Vue, React, Solid, Angular, Svelte, and Liquid From JS Objects.

Vue, React, Solid, Angular, Svelte, and Liquid From JS Objects.

Vue, React, Solid, Angular, Svelte, and Liquid From JS Objects.

Remoc 🦑 — Remote multiplexed objects and channels for Rust
Remoc 🦑 — Remote multiplexed objects and channels for Rust

Remoc 🦑 — remote multiplexed objects and channels Remoc makes remote interaction between Rust programs seamless and smooth. Over a single underlying

beaver is a library for setting up Rust objects inspired by factory_bot.
beaver is a library for setting up Rust objects inspired by factory_bot.

beaver is a library for setting up Rust objects inspired by factory_bot. Usage | Examples | Docs Dependencies [dependenci

Parser for Object files define the geometry and other properties for objects in Wavefront's Advanced Visualizer.

format of the Rust library load locad blender obj file to Rust NDArray. cargo run test\t10k-images.idx3-ubyte A png file will be generated for the fi

A stack for rust trait objects that minimizes allocations

dynstack A stack for trait objects that minimizes allocations COMPATIBILITY NOTE: dynstack relies on an underspecified fat pointer representation. Tho

The goal of this challenge is to create an isometric, decorated scene in which the character can move around the objects in the room.

The goal of this challenge is to create an isometric, decorated scene in which the character can move around the objects in the room.

The Rank-Biased Centroids (RBC) rank fusion method to combine multiple-rankings of objects.

Rank-Biased Centroids (RBC) The Rank-Biased Centroids (RBC) rank fusion method to combine multiple-rankings of objects. This code implements the RBC r

Comments
  • Replace top-level sign and verify commands

    Replace top-level sign and verify commands

    Related to #1 and #2

    The top-level sign and verify commands should be replaced with higher level commands that store signature trees in git references, and read from these references, respectively.

    Example:

    # writes to .git/refs/signify/signatures/<key-fingerprint>/<git-revision>
    $ git signify sign -k <key> <git-revision>
    
    # reads from .git/refs/signify/signatures/<key-fingerprint>/<git-revision>
    $ git signify verify -k <key> <git-revision>
    
    enhancement 
    opened by sug0 0
  • Move `sign` and `verify` to low level commands section

    Move `sign` and `verify` to low level commands section

    The primitives sign and verify should seldom be used directly. We should move them to a sub-command like:

    $ git signify primitive sign ...
    $ git signify primitive verify ...
    
    enhancement 
    opened by sug0 0
  • Store signatures in git references

    Store signatures in git references

    References to signatures can be stored in a namespace identical to:

    .git/refs/signify/signatures/<fingerprint>/<signed-object-id>
    

    Where <fingerprint> is the result of running git hash-object on the raw public key bytes of a user identity (i.e. keypair), and <signed-object-id> corresponds to the id of a signed object. The content of the reference can be the output of signing an object with git signify.

    enhancement 
    opened by sug0 0
Owner
Tiago Carvalho
Professional reader of computer code. Master of sleep evasion.
Tiago Carvalho
Crypto in, power out

Cipo Crypto in, power out Cipo makes it easy to let users pay for electricity for their camper-van, electric cars, boat, caravan and other high load c

Jonny Heggheim 9 Dec 9, 2022
The free password manager for power users

The free password manager for power users

null 312 Oct 22, 2022
🍹Branch and bound solution using Rust to calculate an optimal cocktail ingredient list of arbitrary length 🍸

Calculating an Optimal Cocktail Ingredient List Tom Explains the Problem You have 100 different ingredients You have 20 cocktails, each of which use 2

Stephan Hügel 7 Jan 9, 2023
🤖CyberAI is designed to bridge the world of Cyberpunk 2077 and the power of OpenAI's AI technology.

CyberAI ?? Welcome to the CyberAI project! This plugin for Cyberpunk 2077 enables integration between the videogame and OpenAI API, opening a world of

Kirill Kuzin 19 Jul 28, 2023
🔗 Tool for rebasing a chain of local git branches.

git-chain Tool for rebasing a chain of local git branches. Motivation Suppose you have branches, each depending on a parent branch (usually called "st

Alberto Leal 10 Jul 15, 2022
VSDB is a 'Git' in the form of a KV database.

VSDB VSDB is a 'Git' in the form of a KV database. Based on the powerful version control function of VSDB, you can easily give your data structure the

null 7 Oct 11, 2022
Authenticate a tarball through a signed tag in a git repository (with reproducible builds)

auth-tarball-from-git Authenticate a tarball through a signed tag in a git repository (with reproducible builds). The signed git tag contains a hash o

null 14 Aug 16, 2022
🗂️ A simple, opinionated, tool, written in Rust, for declaratively managing Git repos on your machine.

gitrs ??️ A simple, opinionated, tool, written in Rust, for declaretively managing Git repos on your machine. "simple" - limited in what it supports.

Colton J. McCurdy 14 May 30, 2023
Git FIDO Helper - Sign your Git commits with multiple resident SSH keys

gfh Git FIDO helper, or God Fucking Help me. gfh is a tool for helping you sign your commits in Git with resident SSH keys stored on multiple FIDO dev

Michael Mitchell 16 Nov 30, 2022
Experimental one-shot benchmarking/profiling harness for Rust

Iai Experimental One-shot Benchmark Framework in Rust Getting Started | User Guide | Released API Docs | Changelog Iai is an experimental benchmarking

Brook Heisler 409 Dec 25, 2022