# Signatures I have begun looking into using gpg signatures to verify fac commits and tags using git. There doesn't seem to be a consensus approach on how to use git for this purpose, so I am sort of figuring things out. This document and this whole business is currently a work in progress. This document has a quick "how to" section, and then a discussion of the issues, and my reasoning for this approach. ## The quick how-to You clone the fac repository as usual. If you are an expert, you can clone a tagged version and then verify that the tag was signed by my gpg key, which has the following fingerprint: 284D 4AF3 EAF7 F01C 449C 24F5 9E5E E4A9 339E 788B If you aren't an expert, you assume that you got a safe clone. If you are an expert, you also be asking me why you should trust that the bad guys haven't modified the above fingerprint. Either way, you just have to hope for the best with regard to github's security (or find a friend who knows me). Once you have a good clone of the repository, you can run your git commands with the wrapper script `git.py` ./git.py pull This will inform gpg to use a fac-specific keyring when it checks signatures, and will tell git to refuse the pull if the commit is not signed by someone authorized to commit to the repository. You need a pretty recent version of git to make pull verify the signatures. If you have an older version of git, you can use: git pull ./git.py log --show-signature and check manually that the log message indicates that the commit was signed. If you get a warning about permissions, you can fix this with chmod go-rwx .gnupg ## Rationalization The concept of the pgp web of trust is broken, and also (even if it worked) useless for determining trust with regard to software. The challenge of determining whether you trust me is pretty significant. When you choose to compile my software, you are showing a great deal of trust that I am not going to try to compromise your machine, and also that I have not let someone else compromise *my* machine, who might have the desire to compromise *your* machine. Such trust is not transitive. And really the web of trust only involves trust that the person's identity matches what their key says. Just because my name is David Roundy doesn't mean that you should let me install software on your computer---which is the choice you are making when you choose to compile and install fac. The combination of git with gpg enables you to verify just one thing: that given commits or tags were created by someone who has access to a certain secret key. They don't even do a very good job at that, since by default signatures are checked against every key in your public keychain, and conventional gnupg use involves not worrying about the "danger" of fetching a public key, since "trust" is distinct from having a copy of the key. So what do you gain by my use of gnupg to sign commits? You gain the knowledge that the same person (or someone with access to my computer and passphrase) made the changes as the guy who made the previous release. Since this is realistically all you're likely to be able to discern from my gnupg signatures, I have not uploaded my key to the keyservers. That would enable you to easily fetch it, but would also encourage you to easily fetch any number of attackers' keys, and stick them all together in the same spot. Instead, I'm putting a public keyring (with my public key) into the repository itself, along with a handy script to run git using just this keyring. Thus any signatures by other keys will be rejected. You wonder how to trust that this keyring hasn't been compromised? Sorry, there's no solution to that, other than an out-of-band avenue (such as possibly this webpage, see above). If fac becomes famous, I may publish abroad my gnupg fingerprint, so you can fetch it from mail archives, etc, and hope that the NSA hasn't compromised them *all*. If you know me personally (or want to meet me) my office is in 401B Weniger Hall on Oregon State University's campus in Corvallis, Oregon. You can visit with me and say "hi" and see if you've got the right keyring. You could try calling me on the phone, and then maybe you could decide if my voice sounds trustworthy. If you are able determine trustworthiness over the phone, I suggest you find a job in which you can make use of this super power. Or just get an alter ego and a superhero costume. You might wonder how you can tell if the keyring is compromised some time later. Eventually, I'd like to make my script able to verify on pull that any commit that modifies the keyring must be signed by a key in the previously existing keyring. Sadly, that sounds challenging. For now, I'm waiting for the next Debian release, which should have a git with the `--verify-signatures` option which enables it to refuse commits that have not been signed.