Skip to content

Commit

Permalink
Smaller fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
NicoHood committed Sep 24, 2017
1 parent ff5b453 commit 4ee493d
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 16 deletions.
20 changes: 13 additions & 7 deletions Readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
![gpgit.png](img/gpgit.png)

# Introduction
As we all know, today more than ever before, it is crucial to be able to trust our computing environments. One of the main difficulties that package maintainers of Linux distributions face, is the difficulty to verify the authenticity and the integrity of the source code. With GPG signatures it is possible for packagers to verify source code releases quickly and easily.
As we all know, today more than ever before, it is crucial to be able to trust our computing environments. One of the main difficulties that package maintainers of GNU/Linux distributions face, is the difficulty to verify the authenticity and the integrity of the source code. With GPG signatures it is possible for packagers to verify source code releases quickly and easily.

#### Overview of the required tasks:
* Create and/or use a **[4096-bit RSA keypair][1]** for the file signing
Expand All @@ -17,7 +17,7 @@ As we all know, today more than ever before, it is crucial to be able to trust o
### GPGit
[GPGit][12] is meant to bring GPG to the masses. It is not only a Python script that automates the process of [creating new signed Git releases with GPG][13], but also a [quick-start-guide][14] for learning how to use GPG. GPGit integrates perfectly with the [Github Release API][15] for uploading.

The security status of Linux projects will be tracked in the [Linux Security Database][16]. Thanks for your help in making Linux projects more secure by using GPG signatures.
The security status of GNU/Linux projects will be tracked in the [Linux Security Database][16]. If you have any further questions, do not hesitate to [contact me][17] personally. Thanks for your help in making GNU/Linux projects more secure by using GPG signatures.

[1]: https://github.com/NicoHood/gpgit#12-key-generation
[2]: https://github.com/NicoHood/gpgit#11-strong-unique-secret-passphrase
Expand All @@ -35,6 +35,7 @@ The security status of Linux projects will be tracked in the [Linux Security Dat
[14]: https://github.com/NicoHood/gpgit#gpg-quick-start-guide
[15]: https://github.com/NicoHood/gpgit#52-upload-to-github
[16]: https://github.com/NicoHood/LSD
[17]: http://contact.nicohood.de

## Index
* [Introduction](#introduction)
Expand Down Expand Up @@ -108,7 +109,7 @@ Additional configuration can be made via [git config](https://git-scm.com/docs/g
```bash
git config --global gpgit.token <token>
git config --global gpgit.output ~/gpgit
git config --local gpgit.tar xz
git config --local gpgit.compression gzip
```

#### user.signingkey
Expand All @@ -117,8 +118,8 @@ Full GPG fingerprint to use for signing/verifying.
#### gpgit.output
Output path of the archive, signature and message digest. You can also set this option via parameter.

#### gpgit.tar
Archive compression option. Chose between "gz,gzip,xz,bz2,bzip2". Default: "xz"
#### gpgit.compression
Archive compression option. Chose between "gzip,xz,bzip2,lzip". Default: "xz"

#### gpgit.sha
Message digest algorithm. chose between "sha256,sha384,sha512". Default: "sha512"
Expand Down Expand Up @@ -169,6 +170,7 @@ GPGit guides you through 5 simple steps to get your software project ready with
Make sure that your new passphrase for the GPG key meets high security standards. If the passphrase/key is compromised all of your signatures are compromised too.

Here are a few examples how to keep a passphrase strong but easy to remember:
* [Creating a strong password](https://support.google.com/accounts/answer/32040?hl=en)
* [How to Create a Secure Password](https://open.buffer.com/creating-a-secure-password/)
* [Mooltipass](https://www.themooltipass.com/)
* [Keepass](http://keepass.info/)
Expand Down Expand Up @@ -215,9 +217,10 @@ To make the public key widely available, upload it to a key server. Now the user

```bash
# Publish key
gpg --keyserver hkps://pgp.mit.edu --send-keys <fingerprint>6
gpg --keyserver hkps://pgp.mit.edu --send-keys <fingerprint>

# Import key
# Alternative keyserver: hkps://hkps.pool.sks-keyservers.net
gpg --keyserver hkps://pgp.mit.edu --recv-keys <fingerprint>
```

Expand Down Expand Up @@ -260,6 +263,9 @@ Git tags need to be created from the command line and always need a switch to en
# Creates a signed tag
git tag -s mytag

# Re-tag an older, unsigned tag
git tag -sf mytag mytag

# Verifies the signed tag
git tag -v mytag
```
Expand All @@ -285,7 +291,7 @@ git archive --format=tar --prefix gpgit-1.0.0 1.0.0 | cmp <(xz -dc gpgit-1.0.0.t
### 4.2 Sign the archive
Type the filename of the tarball that you want to sign and then run:
```bash
gpg --armor --detach-sign gpgit-1.0.0.tar.xz
gpg --digest-algo SHA512 --armor --detach-sign gpgit-1.0.0.tar.xz
```
**Do not blindly sign the Github source downloads** unless you have compared its content with the local files via `diff.` [[Read more]](https://wiki.archlinux.org/index.php/GnuPG#Make_a_detached_signature)

Expand Down
20 changes: 11 additions & 9 deletions gpgit.py
Original file line number Diff line number Diff line change
Expand Up @@ -327,7 +327,7 @@ def __init__(self, config, repo):
def analyze(self):
"""Analyze: Use Git with GPG"""
# Check if Git was already configured with a different key
if self.config['fingerprint'] is None:
if self.config['fingerprint'] is None or self.config['signingkey'] != self.config['fingerprint']:
self.config['config_level'] = 'global'
self.setstatus(1, 'TODO', 'Configuring {} Git GPG key' \
.format(self.config['config_level']))
Expand Down Expand Up @@ -588,6 +588,7 @@ def substep2(self):
binary=not bool(self.config['armor']),
detach=True,
output=sigfilepath,
# extra_args --digest-algo algoname https://github.com/vsajip/python-gnupg/pull/4#issuecomment-312203310
#digest_algo='SHA512' #TODO v 2.x GPG module
)
if signed_data.fingerprint != self.config['fingerprint']:
Expand Down Expand Up @@ -672,6 +673,12 @@ def analyze(self):
return 'Error accessing Github API for project ' + self.config['project'] \
+ ' with username ' + self.config['username'] + '. Wrong token supplied?'

# TODO upstream need to merge PR: https://github.com/PyGithub/PyGithub/pull/525
if 'upload_asset' not in dir(self.release):
self.config['github'] = False
self.setstatus(2, 'WARN', 'Requires PyGithub fix #525')
return

# Check Release and its assets
try:
self.release = self.githubrepo.get_release(self.config['tag'])
Expand All @@ -683,13 +690,7 @@ def analyze(self):
return
else:
# Determine which assets need to be uploaded
try:
asset_list = [x.name for x in self.release.get_assets()]
except AttributeError:
self.config['github'] = False
self.setstatus(2, 'WARN', 'Requires PyGithub >= 1.35')
return

asset_list = [x.name for x in self.release.get_assets()]
for asset in self.assets:
if asset not in asset_list:
self.newassets += [asset]
Expand Down Expand Up @@ -785,9 +786,10 @@ def load_git_config(self):
['username', 'user', 'name'],
['email', 'user', 'email'],
['fingerprint', 'user', 'signingkey'],
['signingkey', 'user', 'signingkey'],
['gpgsign', 'commit', 'gpgsign'],
['output', 'gpgit', 'output'],
['tar', 'gpgit', 'tar'],
['tar', 'gpgit', 'compression'],
['sha', 'gpgit', 'sha'],
['keyserver', 'gpgit', 'keyserver'], # TODO set to the fp once the key was checked once to speed things up
['github', 'gpgit', 'github'],
Expand Down

0 comments on commit 4ee493d

Please sign in to comment.