Re: [Savannah-hackers] Detached signatures for source files

[Laurence Finston]

Elfyn McBratney wrote:

> Hello,
> 
> Apologies for lumping the replies together, it's easier for me to keep track

> of them this way ;-)

It doesn't bother me.

> 
> On Saturday 25 Sep 2004 13:49, Brian Gough wrote:
> > "Laurence Finston" <address@hidden> writes:
> > > I'd like put a subdirectory in each subdirectory in my repository
> > > with a detached GPG signature for each source file.  Each signature
> > > file should have the same revision number as the corresponding
> > > source file.
> 
> This is possible.  We have a system where you can use triplicate directive 
> files that can specify a destination directory, the signed file and it's 
> signature.  It's not totally tested, but I guess you could test it out for 
> your project. :-)
> 

I'll be glad to, as long as I don't have to type in passphrases over and over
again.  Are there instructions available somewhere, or would you send them to
me?

> > Laurence, is this for a special application or are you trying to
> > implement a form of GPG commit signing?
> >

It's not a special application.  I just thought it would be a good idea to
supply signatures for my source files.  I already do so for one file.  When I
make significant changes, I run `make dist' and check in the tarball under the
name `/SNAPSHOTS/3DLDFsnp.tar.gz'.  I also check in a detached signature under
the name `/SNAPSHOTS/3DLDFsnp.tar.gz.sig'.  I do this for people who don't
have CVS;  like me, when I'm using the Windows PC I'm using now.

I think a form of GPG commit signing would be a good idea, especially if it
could be automated.  However, I'm not an expert on security.  Perhaps it might
just give people a false sense of security.  What do the experts say?

I do think it would be nice to be able to commit multiple files with different
log entries without having to type in my passphrase over and over.  Currently,
I mostly commit a whole batch at once with a single message.  I have a `/LOG/'
subdirectory in each of my subdirectories with a file containing the RCS log
for each of the source files in the directory above, if you follow.  This
isn't really ideal.  

> > For signing multiple files there is a gpg-agent in the development
> > version of GPG, but there may be better ways since signing the
> > contents of the files does not protect against metadata attacks.

I've been wondering what a gpg-agent is.  I've read the GPG handbook pretty
thoroughly, but if there's anything in there about it, I've missed it.  It
seems to me that the way one uses CVS via the Savannah interface is a bit
different from the way described in the CVS manual.  I admit that I'm not an
expert at using CVS, but I'm improving.  I use RCS for my own sources.  Nor do
I have any idea what a metadata attack is.

I realize that detached signatures don't guarantee security, but I thought
they might help a bit.  The key I use is different from the one that I use for
communicating with Savannah, so anyone who would want to corrupt my sources
would have to crack both Savannah and the machine on which the key is stored. 
Unless there are other ways of doing it, which is likely.  Also, I thought it
might help if I kept the signatures on another machine, too, in case Savannah
were to be cracked again.  Then the signatures could be used to check the
state of the files.

> 
> Yeah, there's also a gpg-agent howto in the FAQ at Savannah, in case it
helps 
> for this sorta' stuff. :-)

Thanks, I'll take a look at it.  I've seen a reference to it in the
instructions for using CVS on Savannah.  I've never looked at it, though,
because I don't have root privileges on any machine, so I can't install
anything myself.  

Thanks for your help.

Laurence