[Savannah-hackers-public] Re: GPG-Signed Commits proposal

[Derek Price]

Mark D. Baushke wrote:

> Sylvain Beucler <address@hidden> writes:
>
> >I wondered whether it would be possible to simply add commit
> >signatures to CVS (I'm getting challenged about that when trying to
> >improve the CVS installation at Savannah).
>
>
> I am in favor of having gpg signed commit information to CVS.


Me too.

> >The simplest way I though of, would be to sign my commit message, with
> >additional 'Headers' specifying the user name and a SHA-1/MD5 hash of
> >the file in the current revision (without keyword expansion).
>
>
> I believe that MD5 is not secure enough. I would suggest SHA-1 (or
> SHA-256) would be better.
>
> Other than that, yes adding such a signature to your log message would
> be the easiest method to get the information to the CVS server. As you
> say, you would need to play some games to get around keyword expansion
> problems.
>
> One gotcha might be that the log message itself may be changed at a
> later time using the 'cvs admin' command.


I think it would be best to add an RCS newphrase in the archive file for
storing signatures.  Old versions of CVS and RCS which don't understand
the newphrase would even ignore it.  See the recent addition of commit
ids for an example.

As for working around keywords, I don't think signing can be performed
securely with keywords in use at all.

For instance, consider the line in a function:

char *author = "$Author$";

If we decided to sign the -kk version of the file or even the -ko
version of the file, then a compromised server could send a line like:

char *author = "$Author: ";int gotcha = dosomethingnasty();char *dummy =
"$";

and a verfier which converted to -kk or -ko mode for verification would
hapily confirm the file was the original.

And don't forget, even if we decide to ignore keywords and tell folks
they can't use signing with keywords (a warning to set -ko mode from CVS
when keywords are detected may be in order), files will still need to be
converted to UNIX EOLs before sigining and verification on systems which
would have converted the EOLs for network transport.

> >How much time do you think it would take to a good CVS hacker to
> >implement this in CVS (or even code this as an external wrapper?). If
> >you think that's possible maybe I could implement a prototype myself.
>
>
> I am not sure how long it would take to hack CVS changes into place.


I don't think that this should be very complicated at all since RCS
keywords must be ignored by necessity.  Most of the necessary code for
EOL conversion and RCS newphrases should be inside CVS already and not
very complicated to hook into.  If you were to hook into the src/run.c
code for external GPG execution and trust the user to maintain their gpg
executable and keyring, I'd imagine a motivated developer could make
short work of this.

Derek
-- 
Derek R. Price
CVS Solutions Architect
Ximbiot <http://ximbiot.com>
v: +1 717.579.6168
f: +1 717.234.3125
<mailto:address@hidden>