Re: [git patches] libata updates, GPG signed (but see admin notes)

From: Ingo Molnar
Date: Mon Oct 31 2011 - 04:42:36 EST



* Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:

> That said, even the "BEGIN PGP SIGNED MESSAGE" things are a massive
> pain in the butt. We need to automate this some sane way, both for
> the sender and for the recipient.

The most practical form would be if Git supported such oneliner pull
requests:

git pull git://foo.com bar.branch \
--pull-sha1 0acf00014bcfd71090c3b0d43c98e970108064e4 \
--gpg-by: "Ingo Molnar <mingo@xxxxxxxxxx>" \
--gpg-sig: 8a6f134afd1d212fe21345

maintainers could just paste them into a shell and it would abort if
it's not trusted. The maintainer verifies the visible, 'Ingo Molnar'
bit. The 8a6f134afd1d212fe21345 is a signed-by-Ingo-Molnar version of
this content:

git://foo.com bar.branch 0acf00014bcfd71090c3b0d43c98e970108064e4

And Git would verify that what ends up being pulled is indeed
0acf00014bcfd and also verifies that it was signed by me.

[ If we are extra diligent/paranoid then beyond the sha1 we might
even GPG sign the shortlog, or even the full raw log of all commits
leading to the sha1: this introduces some Git shortlog and patch
formatting version dependency though.

Git could also double check foo.com's DNS coherency, or check it
against a known-trusted whitelist of domain names specified in the
maintainer's .gitconfig, as an extra layer. ]

Doing it in this form would remove all the mail formatting madness -
one could paste such a pull request into a shell straight away, from
HTML email, from text email, from MIME email, etc.

In fact i would trust such a Git based solution far more than any
opaque, invisible tool that claims to have checked a signature with
cooperation of my mail client (ha!).

The only somewhat non-obvious bit is that Git should be *very*
careful about its key ID and signature parsing strategy, to protect
against social engineering attacks.

For example neither this:

--gpg-by: "Ingo Molnar <mingo@xxxxxxxxxx>"

nor this:

--pgp-by: "Ingo Molnar <mingo@xxxxxxxxxx>"

malicious pull request should slip through in any fashion:

- Git should only use keys that are in your ring of trust - not pull
keys from the public keyring automatically and just check
coherency of the pull request or such. [I'm sure people will be
tempted to have such a feature - but that temptation should be
resisted.]

- Git should abort the moment it sees an unknown option

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/