* [Bitcoin-development] PSA: Please sign your git commits @ 2014-05-21 12:23 Wladimir 2014-05-21 16:39 ` Chris Beams 0 siblings, 1 reply; 15+ messages in thread From: Wladimir @ 2014-05-21 12:23 UTC (permalink / raw) To: Bitcoin Dev Hello all, When you're contributing to Bitcoin Core development please sign your git commits. This is easy to do and will help in assuring the integrity of the tree. How to sign your commits? ------------------------------------------ Provide the `-S` flag (or `--gpg-sign`) to git commit when you commit your changes, for example git commit -m "Commit message" -S Optionally you can provide a key id after the -S option to sign with a specific key. What if I forgot? ------------------------- You can retroactively sign your previous commit using --amend, for example git commit -S --amend If you need to go further back, you can use the interactive rebase command with 'edit'. Replace HEAD~3 with the base commit from which you want to start. git rebase -i HEAD~3 Replace 'pick' by 'edit' for the commit that you want to sign and the rebasing will stop after that commit. Then you can amend the commit as above. Afterwards, do git rebase --continue As this will rewrite history, you cannot do this when your commit is already merged. In that case, too bad, better luck next time. If you rewrite history for another reason - for example when squashing commits - make sure that you re-sign as the signatures will be lost. How to check if commits are signed? ------------------------------------------------------- Use git log with show-signature, git log --show-signature commit 6fcdad787f1fb381a3a0fe6b1a1e45477426dccb gpg: Signature made Wed 21 May 2014 12:27:55 PM CEST using RSA key ID 2346C9A6 gpg: Good signature from "Wladimir J. van der Laan <laanwj@gmail.com>" Author: Wladimir J. van der Laan <laanwj@gmail.com> Date: Wed May 21 12:27:37 2014 +0200 qt: Periodic language update ... You can also pass the --show-signature option to `git show` to check a single commit. If you do this on the current repository you'll see that I'm almost the only person signing commits. I would like more people to get into this habit. How to sign merges? -------------------------------- When using the github interface to merge a pull request, the resulting merge commit is not signed. Pieter Wullie wrote a script that simplifies merging and signing. It can be found in contrib/devtools. Setup instructions can be found in the README.md in that directory. After setting it up for the repository you can use the script in the following way: contrib/devtools/github-merge.sh 1234 Replace 1234 by the pull request number that you want to merge. It will merge the pull request and drop you into a shell so you can verify changes and test. Once satisfied, exit the shell and answer the questions to merge and sign it and push upstream automatically (or not). Please use this script when possible for merging instead of the github interface. -------------------------- Wladimir ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Bitcoin-development] PSA: Please sign your git commits 2014-05-21 12:23 [Bitcoin-development] PSA: Please sign your git commits Wladimir @ 2014-05-21 16:39 ` Chris Beams 2014-05-21 17:10 ` Wladimir 2014-05-21 20:25 ` David A. Harding 0 siblings, 2 replies; 15+ messages in thread From: Chris Beams @ 2014-05-21 16:39 UTC (permalink / raw) To: Wladimir; +Cc: Bitcoin Dev [-- Attachment #1.1: Type: text/plain, Size: 4753 bytes --] Hi Wladimir, I'm personally happy to comply with this for any future commits, but wonder if you've considered the arguments against commit signing [1]? Note especially the reference therein to Linus' original negative opinion on signed commits [2]. I came across these when searching for a way to enable signing by default, e.g. a `git config` option that might allow for this. Unfortunately, there isn't one, meaning it's likely that most folks will forget to do this most of the time. If you're really serious about it, you should probably reject pull requests without signed commits; otherwise, signing becomes meaningless because only honest authors do it, and forgetful or malicious ones can avoid it without penalty. That said, I'm not sure that creating such a barrier to contribution is worth it. - Chris [1]: http://stackoverflow.com/a/10166916/622403 [2]: http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html On May 21, 2014, at 2:23 PM, Wladimir <laanwj@gmail.com> wrote: > Hello all, > > When you're contributing to Bitcoin Core development please sign your > git commits. This is easy to do and will help in assuring the > integrity of the tree. > > How to sign your commits? > ------------------------------------------ > > Provide the `-S` flag (or `--gpg-sign`) to git commit when you commit > your changes, for example > > git commit -m "Commit message" -S > > Optionally you can provide a key id after the -S option to sign with a > specific key. > > What if I forgot? > ------------------------- > > You can retroactively sign your previous commit using --amend, for example > > git commit -S --amend > > If you need to go further back, you can use the interactive rebase > command with 'edit'. Replace HEAD~3 with the base commit from which > you want to start. > > git rebase -i HEAD~3 > > Replace 'pick' by 'edit' for the commit that you want to sign and the > rebasing will stop after that commit. Then you can amend the commit as > above. Afterwards, do > > git rebase --continue > > As this will rewrite history, you cannot do this when your commit is > already merged. In that case, too bad, better luck next time. > > If you rewrite history for another reason - for example when squashing > commits - make sure that you re-sign as the signatures will be lost. > > How to check if commits are signed? > ------------------------------------------------------- > > Use git log with show-signature, > > git log --show-signature > > commit 6fcdad787f1fb381a3a0fe6b1a1e45477426dccb > gpg: Signature made Wed 21 May 2014 12:27:55 PM CEST using RSA key > ID 2346C9A6 > gpg: Good signature from "Wladimir J. van der Laan <laanwj@gmail.com>" > Author: Wladimir J. van der Laan <laanwj@gmail.com> > Date: Wed May 21 12:27:37 2014 +0200 > > qt: Periodic language update > ... > > You can also pass the --show-signature option to `git show` to check a > single commit. > > If you do this on the current repository you'll see that I'm almost > the only person signing commits. I would like more people to get into > this habit. > > How to sign merges? > -------------------------------- > > When using the github interface to merge a pull request, the resulting > merge commit is not signed. > > Pieter Wullie wrote a script that simplifies merging and signing. It > can be found in contrib/devtools. Setup instructions can be found in > the README.md in that directory. After setting it up for the > repository you can use the script in the following way: > > contrib/devtools/github-merge.sh 1234 > > Replace 1234 by the pull request number that you want to merge. It > will merge the pull request and drop you into a shell so you can > verify changes and test. Once satisfied, exit the shell and answer the > questions to merge and sign it and push upstream automatically (or > not). > > Please use this script when possible for merging instead of the github > interface. > > -------------------------- > > Wladimir > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development [-- Attachment #1.2: Type: text/html, Size: 5756 bytes --] [-- Attachment #2: Message signed with OpenPGP using GPGMail --] [-- Type: application/pgp-signature, Size: 842 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Bitcoin-development] PSA: Please sign your git commits 2014-05-21 16:39 ` Chris Beams @ 2014-05-21 17:10 ` Wladimir 2014-05-21 20:30 ` Mark Friedenbach 2014-05-23 10:23 ` Wladimir 2014-05-21 20:25 ` David A. Harding 1 sibling, 2 replies; 15+ messages in thread From: Wladimir @ 2014-05-21 17:10 UTC (permalink / raw) To: Chris Beams; +Cc: Bitcoin Dev Hello Chris, On Wed, May 21, 2014 at 6:39 PM, Chris Beams <chris@beams.io> wrote: > I'm personally happy to comply with this for any future commits, but wonder > if you've considered the arguments against commit signing [1]? Note > especially the reference therein to Linus' original negative opinion on > signed commits [2]. Yes, I've read it. But would his alternative, signing tags, really help us more here? How would that work? How would we have to structure the process? At least signed commits are easy to integrate into the current development process with github - only a different way of merging has to be used. > I came across these when searching for a way to enable signing by default, > e.g. a `git config` option that might allow for this. Unfortunately, there > isn't one, meaning it's likely that most folks will forget to do this most > of the time. I'll remind people if they forget to do it, but I won't require it. As you say, that would be an extra barrier, and I'm not suggesting this because I to see people jumping through bureaucratic hoops. But it is a pretty simple thing to do... > If you're really serious about it, you should probably reject pull requests > without signed commits; otherwise, signing becomes meaningless because only > honest authors do it, and forgetful or malicious ones can avoid it without > penalty. This is not because I'm afraid of malicious authors, but because I want to reduce the risk that github hacks would pose. Something to watch for would be authors that normally sign pull requests/merges and suddenly don't. Someone malicious may have gained access to their github account. This just adds an extra layer of protection. Cheers, Wladimir ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Bitcoin-development] PSA: Please sign your git commits 2014-05-21 17:10 ` Wladimir @ 2014-05-21 20:30 ` Mark Friedenbach 2014-05-21 21:02 ` Gregory Maxwell 2014-05-23 10:23 ` Wladimir 1 sibling, 1 reply; 15+ messages in thread From: Mark Friedenbach @ 2014-05-21 20:30 UTC (permalink / raw) To: bitcoin-development On 05/21/2014 10:10 AM, Wladimir wrote: > On Wed, May 21, 2014 at 6:39 PM, Chris Beams <chris@beams.io> wrote: >> I'm personally happy to comply with this for any future commits, but wonder >> if you've considered the arguments against commit signing [1]? Note >> especially the reference therein to Linus' original negative opinion on >> signed commits [2]. > > Yes, I've read it. But would his alternative, signing tags, really > help us more here? Honest question: what would signed commits do to help us here anyway? What's the problem being solved? Unfortunately git places signatures in the history itself, so it's not like we could use easily use signatures to indicate acceptance after code review, like we could if we were using monotone for example. Git just wasn't designed for a commit-signing workflow. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Bitcoin-development] PSA: Please sign your git commits 2014-05-21 20:30 ` Mark Friedenbach @ 2014-05-21 21:02 ` Gregory Maxwell 2014-05-22 18:06 ` Jeff Garzik 0 siblings, 1 reply; 15+ messages in thread From: Gregory Maxwell @ 2014-05-21 21:02 UTC (permalink / raw) To: Mark Friedenbach; +Cc: Bitcoin Development On Wed, May 21, 2014 at 1:30 PM, Mark Friedenbach <mark@monetize.io> wrote: > Honest question: what would signed commits do to help us here anyway? > What's the problem being solved? > > Unfortunately git places signatures in the history itself, so it's not > like we could use easily use signatures to indicate acceptance after > code review, like we could if we were using monotone for example. Git > just wasn't designed for a commit-signing workflow. Just makes it easier to sort out things like your git account (or the git site) being compromised and used to submit commits. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Bitcoin-development] PSA: Please sign your git commits 2014-05-21 21:02 ` Gregory Maxwell @ 2014-05-22 18:06 ` Jeff Garzik 2014-05-23 0:25 ` Peter Todd 2014-05-23 7:12 ` Wladimir 0 siblings, 2 replies; 15+ messages in thread From: Jeff Garzik @ 2014-05-22 18:06 UTC (permalink / raw) To: Gregory Maxwell; +Cc: Bitcoin Development Related: Current multi-sig wallet technology being rolled out now, with 2FA and other fancy doodads, is now arguably more secure than my PGP keyring. My PGP keyring is, to draw an analogy, a non-multisig wallet (set of keys), with all the associated theft/data destruction/backup risks. The more improvements I see in bitcoin wallets, the more antiquated my PGP keyring appears. Zero concept of multisig. The PGP keyring compromise process is rarely exercised. 2FA is lacking. At least offline signing works well. Mostly. On Wed, May 21, 2014 at 5:02 PM, Gregory Maxwell <gmaxwell@gmail.com> wrote: > On Wed, May 21, 2014 at 1:30 PM, Mark Friedenbach <mark@monetize.io> wrote: >> Honest question: what would signed commits do to help us here anyway? >> What's the problem being solved? >> >> Unfortunately git places signatures in the history itself, so it's not >> like we could use easily use signatures to indicate acceptance after >> code review, like we could if we were using monotone for example. Git >> just wasn't designed for a commit-signing workflow. > > Just makes it easier to sort out things like your git account (or the > git site) being compromised and used to submit commits. > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development -- Jeff Garzik Bitcoin core developer and open source evangelist BitPay, Inc. https://bitpay.com/ ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Bitcoin-development] PSA: Please sign your git commits 2014-05-22 18:06 ` Jeff Garzik @ 2014-05-23 0:25 ` Peter Todd 2014-05-23 7:12 ` Wladimir 1 sibling, 0 replies; 15+ messages in thread From: Peter Todd @ 2014-05-23 0:25 UTC (permalink / raw) To: Jeff Garzik, Gregory Maxwell; +Cc: Bitcoin Development -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I've got a PGP smart card reader and card with a securely generated key and pin entered per signature. Re: multisig, that's precisely why we want more than just a single maintainer signing commits. PGP isn't perfect, but perfect is the enemy of good. On 22 May 2014 21:06:10 GMT+03:00, Jeff Garzik <jgarzik@bitpay.com> wrote: >Related: Current multi-sig wallet technology being rolled out now, >with 2FA and other fancy doodads, is now arguably more secure than my >PGP keyring. My PGP keyring is, to draw an analogy, a non-multisig >wallet (set of keys), with all the associated theft/data >destruction/backup risks. > >The more improvements I see in bitcoin wallets, the more antiquated my >PGP keyring appears. Zero concept of multisig. The PGP keyring >compromise process is rarely exercised. 2FA is lacking. At least >offline signing works well. Mostly. -----BEGIN PGP SIGNATURE----- Version: APG v1.1.1 iQFQBAEBCAA6BQJTfpWNMxxQZXRlciBUb2RkIChsb3cgc2VjdXJpdHkga2V5KSA8 cGV0ZUBwZXRlcnRvZGQub3JnPgAKCRAZnIM7qOfwhfVGB/448B6UvhN7bmFQxmLS 9+wlhWGYioJKUPspz2Wtk0p8v1y1XlDt0UxC+5ODin4a/Zk0+0x4G4MWyaUP1TnA Wq9FquY3MwTXDrwWzmeQR4QcRbC+EMMk6kXswzT4d/2clUwB1pLl2MYGnS9DjUK2 of0kzZEbaQvxSKcFmvuqhz0QqGy84pkHAFBHfopS1j4WqIZpelUMzBGRYP8D1IQd H/M2YxdQ7T8peiNigqWSyllchKqGoLG+KEr3mvTYRLkxoYw5XTcFyc5AmuTRfzEC yhRc7CJwTZjHYahgZRPGJQM0qeopdIVAifCu9NoPgdkyuQL+X8XSidrU5Kbv/YeZ Scv/ =GdA4 -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Bitcoin-development] PSA: Please sign your git commits 2014-05-22 18:06 ` Jeff Garzik 2014-05-23 0:25 ` Peter Todd @ 2014-05-23 7:12 ` Wladimir 2014-05-23 16:38 ` Mark Friedenbach 2014-05-23 16:48 ` Kyle Jerviss 1 sibling, 2 replies; 15+ messages in thread From: Wladimir @ 2014-05-23 7:12 UTC (permalink / raw) To: Jeff Garzik; +Cc: Bitcoin Development On Thu, May 22, 2014 at 8:06 PM, Jeff Garzik <jgarzik@bitpay.com> wrote: > Related: Current multi-sig wallet technology being rolled out now, > with 2FA and other fancy doodads, is now arguably more secure than my > PGP keyring. My PGP keyring is, to draw an analogy, a non-multisig > wallet (set of keys), with all the associated theft/data > destruction/backup risks. > > The more improvements I see in bitcoin wallets, the more antiquated my > PGP keyring appears. Zero concept of multisig. The PGP keyring > compromise process is rarely exercised. 2FA is lacking. At least > offline signing works well. Mostly. Would be incredible to have multisig for git commits as well. I don't think git supports multiple signers for one commit at this point - amending the signature replaces the last one - but it would allow for some interesting multi-factor designs in which the damage when a dev's computer is compromised would be reduced. Sounds like a lot of work to get a good workflow there, though. My mail about single-signing commits was already longer than I expected when I started writing there. Even though the process is really simple. Though if anyone's interest is piqued by this, please pick it up. Wladimir ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Bitcoin-development] PSA: Please sign your git commits 2014-05-23 7:12 ` Wladimir @ 2014-05-23 16:38 ` Mark Friedenbach 2014-05-23 16:48 ` Kyle Jerviss 1 sibling, 0 replies; 15+ messages in thread From: Mark Friedenbach @ 2014-05-23 16:38 UTC (permalink / raw) To: bitcoin-development I know the likelihood of this happening is slim, but if these are the desired features we should consider switching to monotone (monotone.ca) which has a much more flexible DAG structure and workflow built around programmable multi-sig signing of commits. We could still maintain the github account as a two-way repository interface, but acceptance of a pull request would require some threshold signature sign-off in monotone. I would seriously suggest anybody on this list exploring monotone if you haven't already, at least for your personal projects if it is too late to make that choice for bitcoin. Besides the benefits of using it, we should be supporting build infrastructure that enables less trusted, less centralized development. http://www.monotone.ca/ Mark On 05/23/2014 12:12 AM, Wladimir wrote: > On Thu, May 22, 2014 at 8:06 PM, Jeff Garzik <jgarzik@bitpay.com> wrote: >> Related: Current multi-sig wallet technology being rolled out now, >> with 2FA and other fancy doodads, is now arguably more secure than my >> PGP keyring. My PGP keyring is, to draw an analogy, a non-multisig >> wallet (set of keys), with all the associated theft/data >> destruction/backup risks. >> >> The more improvements I see in bitcoin wallets, the more antiquated my >> PGP keyring appears. Zero concept of multisig. The PGP keyring >> compromise process is rarely exercised. 2FA is lacking. At least >> offline signing works well. Mostly. > > Would be incredible to have multisig for git commits as well. I don't > think git supports multiple signers for one commit at this point - > amending the signature replaces the last one - but it would allow for > some interesting multi-factor designs in which the damage when a dev's > computer is compromised would be reduced. > > Sounds like a lot of work to get a good workflow there, though. > > My mail about single-signing commits was already longer than I > expected when I started writing there. Even though the process is > really simple. > > Though if anyone's interest is piqued by this, please pick it up. > > Wladimir > ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Bitcoin-development] PSA: Please sign your git commits 2014-05-23 7:12 ` Wladimir 2014-05-23 16:38 ` Mark Friedenbach @ 2014-05-23 16:48 ` Kyle Jerviss 2014-05-23 17:32 ` Gregory Maxwell 1 sibling, 1 reply; 15+ messages in thread From: Kyle Jerviss @ 2014-05-23 16:48 UTC (permalink / raw) To: Wladimir, Jeff Garzik; +Cc: Bitcoin Development Multisig is great for irreversible actions, but pointless most of the time, which is why no PGP developer or user ever thought to implement it. If you lose a key and an attacker signs a bogus email or commit with it, we all roll back with no lasting harm done. Wladimir wrote: > On Thu, May 22, 2014 at 8:06 PM, Jeff Garzik <jgarzik@bitpay.com> wrote: >> Related: Current multi-sig wallet technology being rolled out now, >> with 2FA and other fancy doodads, is now arguably more secure than my >> PGP keyring. My PGP keyring is, to draw an analogy, a non-multisig >> wallet (set of keys), with all the associated theft/data >> destruction/backup risks. >> >> The more improvements I see in bitcoin wallets, the more antiquated my >> PGP keyring appears. Zero concept of multisig. The PGP keyring >> compromise process is rarely exercised. 2FA is lacking. At least >> offline signing works well. Mostly. > Would be incredible to have multisig for git commits as well. I don't > think git supports multiple signers for one commit at this point - > amending the signature replaces the last one - but it would allow for > some interesting multi-factor designs in which the damage when a dev's > computer is compromised would be reduced. > > Sounds like a lot of work to get a good workflow there, though. > > My mail about single-signing commits was already longer than I > expected when I started writing there. Even though the process is > really simple. > > Though if anyone's interest is piqued by this, please pick it up. > > Wladimir > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Bitcoin-development] PSA: Please sign your git commits 2014-05-23 16:48 ` Kyle Jerviss @ 2014-05-23 17:32 ` Gregory Maxwell 0 siblings, 0 replies; 15+ messages in thread From: Gregory Maxwell @ 2014-05-23 17:32 UTC (permalink / raw) To: Kyle Jerviss; +Cc: Bitcoin Development On Fri, May 23, 2014 at 9:48 AM, Kyle Jerviss <bitcoin-devel@jerviss.org> wrote: > Multisig is great for irreversible actions, but pointless most of the > time, which is why no PGP developer or user ever thought to implement it. > > If you lose a key and an attacker signs a bogus email or commit with it, > we all roll back with no lasting harm done. PGP in general is not very thoughtful about security. There are a lot of things it does poorly. This is easily excusable considering the historical context it came from— it was the first real cryptographic tool I used, at the time its distribution had concerns about legality, just getting things into people's hands was an achievement enough. From a cryptosystem perspective much more powerful things can be done now, but there is a long way to go in figuring out how to many any cryptographic tool usable to people. PGP is a general purpose tool— which is the hardest kind to write— its also used in a lot of irreversible contexts: If your key deploys a bad software release and it steals everyone's data or wipes their disks— thats not an irreversible action by any means. If you want threshold pgp though— it's possible. The RSA cryptosystem is directly compatible with threshold cryptography. It's just that no one has written the tools. There are implementations of the bare cryptosystem however. One of my longer term would-be-nice goals for a upgrade bitcoin script 2.0 would be being thoughtful enough in the design that it could be adopted as a signing cryptosystem in other applications (e.g. tools similar to GPG)— allowing for things like creating a public key which can only issue trust level 0 certifications, only certifications for certain organizations (e.g. *.debian.org) unless thresholded with an offline key, or only signing for messages meeting a certain programmatic predicate generally. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Bitcoin-development] PSA: Please sign your git commits 2014-05-21 17:10 ` Wladimir 2014-05-21 20:30 ` Mark Friedenbach @ 2014-05-23 10:23 ` Wladimir 2014-06-09 15:34 ` Chris Beams 1 sibling, 1 reply; 15+ messages in thread From: Wladimir @ 2014-05-23 10:23 UTC (permalink / raw) To: Chris Beams; +Cc: Bitcoin Dev On Wed, May 21, 2014 at 7:10 PM, Wladimir <laanwj@gmail.com> wrote: > Hello Chris, > > On Wed, May 21, 2014 at 6:39 PM, Chris Beams <chris@beams.io> wrote: >> I'm personally happy to comply with this for any future commits, but wonder >> if you've considered the arguments against commit signing [1]? Note >> especially the reference therein to Linus' original negative opinion on >> signed commits [2]. > > Yes, I've read it. But would his alternative, signing tags, really > help us more here? How would that work? How would we have to structure > the process? I think a compromise - that is similar to signing tags but would still work with the github process, and leaves a trail after merge - would be: if you submit a stack of commits, only sign the most recent one. As each commit contains the cryptographic hash of the previous commit, which in turns contains the hash of that before it up to the root commit, signing every commit if you have multiple in a row is redundant. I'll update the document and put it in the repository. Wladimir ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Bitcoin-development] PSA: Please sign your git commits 2014-05-23 10:23 ` Wladimir @ 2014-06-09 15:34 ` Chris Beams 0 siblings, 0 replies; 15+ messages in thread From: Chris Beams @ 2014-06-09 15:34 UTC (permalink / raw) To: Wladimir, Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 2798 bytes --] An update on this topic: With the release of Git 2.0, automatic commit signing is now possible with the 'commit.gpgsign' configuration option [1]. This means that interactively rebased or cherry-picked commits are also re-signed on the fly. The absence of this ability in prior versions of Git meant that signing every commit wasn't a practical policy for anyone using rebase as a regular part of their local development workflow. Now it can be. Merging also works as expected with this feature turned on. One caveat I've identified thus far is a negative impact on speed when a large number of commits are involved. Any time you're signing a commit, you're interacting with the gpg-agent daemon, and this is roughly an order of magnitude slower than signing without committing. Speed without signing: $ echo '' >> README.md; time git commit -am"Test commit speed" --no-gpg-sign [...] real 0m0.031s and with: $ echo '' >> README.md; time git commit -am"Test commit speed" --gpg-sign [...] real 0m0.360s For a single commit, this slowdown is negligible as it is still well below sub-second. However, if one were rebasing a local development branch with dozens of commits, you can see how the time would quickly add up. Personally, I think that in practice I'll be willing to deal with with a few seconds' wait on those relatively rare occasions, and therefore I'm going to keep auto-signing enabled for now [2]. - Chris [1]: http://article.gmane.org/gmane.comp.version-control.git/250341 [2]: https://github.com/cbeams/dotfiles/commit/d7da74 On May 23, 2014, at 12:23 PM, Wladimir <laanwj@gmail.com> wrote: > On Wed, May 21, 2014 at 7:10 PM, Wladimir <laanwj@gmail.com> wrote: >> Hello Chris, >> >> On Wed, May 21, 2014 at 6:39 PM, Chris Beams <chris@beams.io> wrote: >>> I'm personally happy to comply with this for any future commits, but wonder >>> if you've considered the arguments against commit signing [1]? Note >>> especially the reference therein to Linus' original negative opinion on >>> signed commits [2]. >> >> Yes, I've read it. But would his alternative, signing tags, really >> help us more here? How would that work? How would we have to structure >> the process? > > I think a compromise - that is similar to signing tags but would still > work with the github process, and leaves a trail after merge - would > be: if you submit a stack of commits, only sign the most recent one. > > As each commit contains the cryptographic hash of the previous commit, > which in turns contains the hash of that before it up to the root > commit, signing every commit if you have multiple in a row is > redundant. > > I'll update the document and put it in the repository. > > Wladimir [-- Attachment #2: Message signed with OpenPGP using GPGMail --] [-- Type: application/pgp-signature, Size: 842 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Bitcoin-development] PSA: Please sign your git commits 2014-05-21 16:39 ` Chris Beams 2014-05-21 17:10 ` Wladimir @ 2014-05-21 20:25 ` David A. Harding 2014-05-22 1:09 ` Chris Beams 1 sibling, 1 reply; 15+ messages in thread From: David A. Harding @ 2014-05-21 20:25 UTC (permalink / raw) To: Chris Beams; +Cc: Bitcoin Dev On Wed, May 21, 2014 at 06:39:44PM +0200, Chris Beams wrote: > I [was] searching for a way to enable signing by default [...] > Unfortunately, there isn't one, meaning it's likely that most folks > will forget to do this most of the time. For all of my projects, I now I put this script in .git/hooks/post-commit and post-merge: #!/bin/bash -eu if ! git log -n1 --show-signature | grep -q 'gpg: Good signature' then yes "FORGOT TO SIGN COMMIT MESSAGE" exit 1 fi So anytime I forget to sign, I get an obvious error and can immediately run git commit --amend -S. To automatically add a script like the one above to all new projects (plus quickly add it old current projects), you can follow these instructions: http://stackoverflow.com/questions/2293498/git-commit-hooks-global-settings > If you're really serious about it, you should probably reject pull > requests without signed commits; otherwise, signing becomes > meaningless because only honest authors do it I find signing my commits quite useful even on projects without a default signing policy because it lets me diff from the last time I provably reviewed the code. Here's my script for that: #!/bin/bash -eu KEY=F29EC4B7 last_signed_commit=$( git log --topo-order --show-signature --pretty=oneline \ | grep -m1 " gpg: Signature made.*RSA key ID $KEY" \ | sed 's/ .*//' \ | grep . ) || { echo "No signed commit found. Dying..." ; exit 1 ; } set -x git diff $last_signed_commit By diffing against the last signed commit I made, I also review any commits that were made using my name but which I didn't actually make, such as squashes and rebases of my commits (and, of course, forgeries). For anyone who's bored and wants to read a lot of text, I think the definitive work on git signing is this: http://mikegerwitz.com/papers/git-horror-story.html -Dave -- David A. Harding ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Bitcoin-development] PSA: Please sign your git commits 2014-05-21 20:25 ` David A. Harding @ 2014-05-22 1:09 ` Chris Beams 0 siblings, 0 replies; 15+ messages in thread From: Chris Beams @ 2014-05-22 1:09 UTC (permalink / raw) To: David A. Harding; +Cc: Bitcoin Dev [-- Attachment #1.1: Type: text/plain, Size: 2714 bytes --] On May 21, 2014, at 10:25 PM, David A. Harding <dave@dtrt.org> wrote: > On Wed, May 21, 2014 at 06:39:44PM +0200, Chris Beams wrote: >> I [was] searching for a way to enable signing by default [...] >> Unfortunately, there isn't one, meaning it's likely that most folks >> will forget to do this most of the time. > > For all of my projects, I now I put this script in > .git/hooks/post-commit and post-merge: > > #!/bin/bash -eu > > if ! git log -n1 --show-signature | grep -q 'gpg: Good signature' > then > yes "FORGOT TO SIGN COMMIT MESSAGE" > exit 1 > fi Funny, I was just in the middle of writing a pre-push hook to do something similar when I decided to check my email :) Your post-commit approach is indeed simpler, so I've gone with it for the moment [1]. Thanks. However, I noticed in the process of testing that this approach messes with rebase workflows. For example: if I make several commits (all of which are properly signed), and then rebase to reorder them, rebase ends up hanging because it delegates to `commit` and the use of `yes` in the post-commit hook blocks forever. I've changed `yes` to `echo` to avoid this, but it still means that one must be rather diligent to keep signatures in place when rebasing. Gerwitz does address rebasing in the presence of commit sigs in the "horror story" doc you linked to [2], but there's no magic: this makes the whole rebasing process considerably more tedious, and linearly so with however many commits you're modifying. This may amount to a rationale for going with a pre-push hook after all, i.e. in order to defer the check for signatures until the last possible moment. This would allow for cheap iterative rebasing once again. I suppose the proper solution would be a `git config` option such as 'commit.sign', that if set to true would mean your commits are always signed, even if rebase is the one calling `commit`. This would obviate the need for the alias I mention below as well. > So anytime I forget to sign, I get an obvious error and can immediately > run git commit --amend -S. If one is already in the habit of using an alias for `commit` (I've long used `ci` for concision), the -S can be included in the alias: git config alias.ci 'commit -S' > To automatically add a script like the one above to all new projects (plus > quickly add it old current projects), you can follow these instructions: > > http://stackoverflow.com/questions/2293498/git-commit-hooks-global-settings This was a great tip, thanks! - Chris [1]: https://github.com/cbeams/dotfiles/commit/58d6942 [2]: http://mikegerwitz.com/papers/git-horror-story.html#_option_3 [-- Attachment #1.2: Type: text/html, Size: 3872 bytes --] [-- Attachment #2: Message signed with OpenPGP using GPGMail --] [-- Type: application/pgp-signature, Size: 842 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2014-06-09 15:34 UTC | newest] Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2014-05-21 12:23 [Bitcoin-development] PSA: Please sign your git commits Wladimir 2014-05-21 16:39 ` Chris Beams 2014-05-21 17:10 ` Wladimir 2014-05-21 20:30 ` Mark Friedenbach 2014-05-21 21:02 ` Gregory Maxwell 2014-05-22 18:06 ` Jeff Garzik 2014-05-23 0:25 ` Peter Todd 2014-05-23 7:12 ` Wladimir 2014-05-23 16:38 ` Mark Friedenbach 2014-05-23 16:48 ` Kyle Jerviss 2014-05-23 17:32 ` Gregory Maxwell 2014-05-23 10:23 ` Wladimir 2014-06-09 15:34 ` Chris Beams 2014-05-21 20:25 ` David A. Harding 2014-05-22 1:09 ` Chris Beams
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox