Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fetch_git_signing_keys.sh: an attempt to store known signing keys and show which ones are not publicly available (unfound_keys_users.txt) #1804

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

tlaurion
Copy link
Collaborator

@tlaurion tlaurion commented Oct 2, 2024

An attempt (PoC) to keep past git commit signing keys under Heads repo, since #1794 was opened.

See https://github.com/linuxboot/heads/blob/de5cc493662ed55b61c2e4de231589ca090528ff/git_signing_keys/README.md for Doc.

Note that each git commit signs the whole tree (think about blockchain if you will as @JonathonHall-Purism specified under comment #1794 (comment)


This experiment shows that some public keys were revoked/not on public servers. Doing multiple runs, selecting different different key servers (randomly) to fetch different keys confirms on console that no keys are changed even if fetched from different servers. Imperfect, but better then nothing.

I do not intend to merge this PR, but some keys are missing and I agree, users trying to use git log --show-signature will show commits that cannot be validated even if they were signed with a valid public key in the past. This PR shows that some keys, still valid today, cannot be found publicly easily, and some used in the past are nowhere to be found anymore. The point is still that those were valid at time of merge and should one way or the other be part of something, somewhere, at least from now on? @JonathonHall-Purism thoughts?


This is output of file unfound_keys_users.txt from this experiment:

user@heads-tests-deb12-nix:~/heads/git_signing_keys$ cat unfound_keys_users.txt 
Key 07609BDE4C8AEAB90F6EFCA94CA7B2A5D5C92A9C not found for user Devon Bautista <[email protected]>
Key 140BC0DEE3D6C93FBA88DE6E5401F9FC55CD2EA4 not found for user Rocky Breslow <[email protected]>
Key 1705719801234567 not found for user Trammell hudson <[email protected]>
Key 3A07364F010D7C71552FAFA687F342A528DFD8E5 not found for user Michał Kopeć <[email protected]>
Key 3E3D140D4439F0659D4A8FED20C3618D656E7853 not found for user Matthew Drobnak <[email protected]>
Key 48579AA47429663E not found for user Sergii Dmytruk <[email protected]>
Key 5FCA029DCAB21268 not found for user Trammell hudson <[email protected]>
Key 687A5005935B1533 not found for user Trammell hudson <[email protected]>
Key 924C1CD7C19D95FE7A577D2848579AA47429663E not found for user Sergii Dmytruk <[email protected]>
Key C7CFA251FF608213 not found for user Trammell Hudson <[email protected]>

Also linked to 3mdeb/3mdeb-secpack#75 for 3mdeb keys not being on public gpg key servers today. For other keys, not sure what to do but have this, written somewhere to state that: those contributors contributions were reviewed prior of merging, while @osresearch (Trammel Hudson) merged his own commits at the early stages of this project, when this repo was under https://github.com/osresearch/heads, and those bases were read, and read and read again, on which this project evolved. More discussions under #1794 (which will not happen in the short term, and reasons why there as well).

… show which ones are not publicly available (unfound_keys_users.txt)

Signed-off-by: Thierry Laurion <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant