You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-dev@hadoop.apache.org by Steve Loughran <st...@hortonworks.com> on 2017/02/24 11:36:02 UTC
gpg signing of commits
For the next few days I'm experimenting with the -S option on signing commits, which tells git to ask gpg to sign the commit, which will then somehow get the little yubikey plugged into my laptop to do the signing
Because I've uploaded the public bit of the key to my github repo, Github can authenticate that it really was me doing the commit
https://github.com/apache/hadoop/commit/9c22a91662af24569191ce45289ef8266e8755cc
and, if i'm trusted in your keyring, a git log --show-signature
git log --show-signature 9c22a91662
commit 9c22a91662af24569191ce45289ef8266e8755cc
gpg: Signature made Fri 24 Feb 10:41:40 2017 GMT
gpg: using RSA key 950CC3E032B79CA2
gpg: Good signature from "Steve Loughran <st...@apache.org>>" [ultimate]
Author: Steve Loughran <st...@apache.org>>
Date: Fri Feb 24 10:41:36 2017 +0000
HADOOP-14114 S3A can no longer handle unencoded + in URIs. Contributed by Sean Mackrory.
(cherry picked from commit ff87ca84418a710c6dc884fe8c70947fcc6489d5)
You ca also use GPG to sign a tag, then use git verify-tag to check the signature; this stops anyone being able to silently move a tag: you can move a tag, but then it's signature is invalid
Will it help make our code and development process more secure? Not really, not if our build depends on pulling down artfacts from random places with an MD5 or SHA1 validation *at best*. And signing patches doesn't magically make the code inside secure. But it does at least add some chain of provenance to who actually put stuff in, rather than the logged committer of any patch being whoever that user chose to declare themselves to be.
I'm only doing this for the never-rebased branches, and of course when something gets cherry picked, the signature becomes invalid. I'll decide after a week or two whether its a viable process. The opinions/experience of others would be useful here
-Steve
ps, key in question: https://pgp.mit.edu/pks/lookup?op=get&search=0x950CC3E032B79CA2
Re: gpg signing of commits
Posted by Steve Loughran <st...@hortonworks.com>.
On 24 Feb 2017, at 18:04, Owen O'Malley <om...@apache.org>> wrote:
I think gpg signing of commits is a good practice. It also strongly
discourages rebasing on master and release branches, which is also a good
thing. On ORC, we try to sign all of our commits.
.. Owen
good to know it works. What are the troublespots?
FWIW, I'm actually keeping the key and its signage on this little toy
https://www.yubico.com/product/y4/
which works except on the newly rebuilt macbook pro, the "Vieullez entre votre Pin" prompts all appear in french. Either I fix that or I lean a bit of French I never knew before. No idea why
On Fri, Feb 24, 2017 at 3:36 AM, Steve Loughran <st...@hortonworks.com>>
wrote:
For the next few days I'm experimenting with the -S option on signing
commits, which tells git to ask gpg to sign the commit, which will then
somehow get the little yubikey plugged into my laptop to do the signing
Because I've uploaded the public bit of the key to my github repo, Github
can authenticate that it really was me doing the commit
https://github.com/apache/hadoop/commit/9c22a91662af24569191ce45289ef8
266e8755cc
and, if i'm trusted in your keyring, a git log --show-signature
git log --show-signature 9c22a91662
commit 9c22a91662af24569191ce45289ef8266e8755cc
gpg: Signature made Fri 24 Feb 10:41:40 2017 GMT
gpg: using RSA key 950CC3E032B79CA2
gpg: Good signature from "Steve Loughran <st...@apache.org><mailto:stev
el@apache.org<ma...@apache.org>>>" [ultimate]
Author: Steve Loughran <st...@apache.org>>
Date: Fri Feb 24 10:41:36 2017 +0000
HADOOP-14114 S3A can no longer handle unencoded + in URIs. Contributed
by Sean Mackrory.
(cherry picked from commit ff87ca84418a710c6dc884fe8c70947fcc6489d5)
You ca also use GPG to sign a tag, then use git verify-tag to check the
signature; this stops anyone being able to silently move a tag: you can
move a tag, but then it's signature is invalid
Will it help make our code and development process more secure? Not
really, not if our build depends on pulling down artfacts from random
places with an MD5 or SHA1 validation *at best*. And signing patches
doesn't magically make the code inside secure. But it does at least add
some chain of provenance to who actually put stuff in, rather than the
logged committer of any patch being whoever that user chose to declare
themselves to be.
I'm only doing this for the never-rebased branches, and of course when
something gets cherry picked, the signature becomes invalid. I'll decide
after a week or two whether its a viable process. The opinions/experience
of others would be useful here
-Steve
ps, key in question: https://pgp.mit.edu/pks/lookup?op=get&search=
0x950CC3E032B79CA2
Re: gpg signing of commits
Posted by Owen O'Malley <om...@apache.org>.
I think gpg signing of commits is a good practice. It also strongly
discourages rebasing on master and release branches, which is also a good
thing. On ORC, we try to sign all of our commits.
.. Owen
On Fri, Feb 24, 2017 at 3:36 AM, Steve Loughran <st...@hortonworks.com>
wrote:
>
> For the next few days I'm experimenting with the -S option on signing
> commits, which tells git to ask gpg to sign the commit, which will then
> somehow get the little yubikey plugged into my laptop to do the signing
>
> Because I've uploaded the public bit of the key to my github repo, Github
> can authenticate that it really was me doing the commit
>
> https://github.com/apache/hadoop/commit/9c22a91662af24569191ce45289ef8
> 266e8755cc
>
> and, if i'm trusted in your keyring, a git log --show-signature
>
> git log --show-signature 9c22a91662
> commit 9c22a91662af24569191ce45289ef8266e8755cc
> gpg: Signature made Fri 24 Feb 10:41:40 2017 GMT
> gpg: using RSA key 950CC3E032B79CA2
> gpg: Good signature from "Steve Loughran <stevel@apache.org<mailto:stev
> el@apache.org>>" [ultimate]
> Author: Steve Loughran <st...@apache.org>>
> Date: Fri Feb 24 10:41:36 2017 +0000
>
> HADOOP-14114 S3A can no longer handle unencoded + in URIs. Contributed
> by Sean Mackrory.
>
> (cherry picked from commit ff87ca84418a710c6dc884fe8c70947fcc6489d5)
>
> You ca also use GPG to sign a tag, then use git verify-tag to check the
> signature; this stops anyone being able to silently move a tag: you can
> move a tag, but then it's signature is invalid
>
> Will it help make our code and development process more secure? Not
> really, not if our build depends on pulling down artfacts from random
> places with an MD5 or SHA1 validation *at best*. And signing patches
> doesn't magically make the code inside secure. But it does at least add
> some chain of provenance to who actually put stuff in, rather than the
> logged committer of any patch being whoever that user chose to declare
> themselves to be.
>
> I'm only doing this for the never-rebased branches, and of course when
> something gets cherry picked, the signature becomes invalid. I'll decide
> after a week or two whether its a viable process. The opinions/experience
> of others would be useful here
>
> -Steve
>
> ps, key in question: https://pgp.mit.edu/pks/lookup?op=get&search=
> 0x950CC3E032B79CA2
>
>
>
Re: gpg signing of commits
Posted by Akira Ajisaka <aa...@apache.org>.
Thanks Steve for starting the discussion.
Now I commit and cherry-pick patches with the -S option and have not
faced any problems.
-Akira
On 2017/02/24 20:36, Steve Loughran wrote:
>
> For the next few days I'm experimenting with the -S option on signing commits, which tells git to ask gpg to sign the commit, which will then somehow get the little yubikey plugged into my laptop to do the signing
>
> Because I've uploaded the public bit of the key to my github repo, Github can authenticate that it really was me doing the commit
>
> https://github.com/apache/hadoop/commit/9c22a91662af24569191ce45289ef8266e8755cc
>
> and, if i'm trusted in your keyring, a git log --show-signature
>
> git log --show-signature 9c22a91662
> commit 9c22a91662af24569191ce45289ef8266e8755cc
> gpg: Signature made Fri 24 Feb 10:41:40 2017 GMT
> gpg: using RSA key 950CC3E032B79CA2
> gpg: Good signature from "Steve Loughran <st...@apache.org>>" [ultimate]
> Author: Steve Loughran <st...@apache.org>>
> Date: Fri Feb 24 10:41:36 2017 +0000
>
> HADOOP-14114 S3A can no longer handle unencoded + in URIs. Contributed by Sean Mackrory.
>
> (cherry picked from commit ff87ca84418a710c6dc884fe8c70947fcc6489d5)
>
> You ca also use GPG to sign a tag, then use git verify-tag to check the signature; this stops anyone being able to silently move a tag: you can move a tag, but then it's signature is invalid
>
> Will it help make our code and development process more secure? Not really, not if our build depends on pulling down artfacts from random places with an MD5 or SHA1 validation *at best*. And signing patches doesn't magically make the code inside secure. But it does at least add some chain of provenance to who actually put stuff in, rather than the logged committer of any patch being whoever that user chose to declare themselves to be.
>
> I'm only doing this for the never-rebased branches, and of course when something gets cherry picked, the signature becomes invalid. I'll decide after a week or two whether its a viable process. The opinions/experience of others would be useful here
>
> -Steve
>
> ps, key in question: https://pgp.mit.edu/pks/lookup?op=get&search=0x950CC3E032B79CA2
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org