Fossil SCM
In the verification recipe for ssh signing, do not silent a possible confirmation.
Commit
decad8811e9e464ebd0455fc79602cd8cc200d1a175a7b3148f2f91352373834
Parent
37606a21f2f2bdd…
1 file changed
+9
-10
+9
-10
| --- www/signing.md | ||
| +++ www/signing.md | ||
| @@ -1,24 +1,23 @@ | ||
| 1 | 1 | # Signing Check-ins |
| 2 | 2 | |
| 3 | 3 | Fossil can sign check-in manifests. A basic concept in public-key |
| 4 | 4 | cryptography, signing can bring some advantages such as authentication and |
| 5 | 5 | non-repudiation. In practice, a serious obstacle is the public key |
| 6 | -infrastructure - that is, the problem of reliably verifying that a given | |
| 6 | +infrastructure – that is, the problem of reliably verifying that a given | |
| 7 | 7 | public key belongs to its supposed owner (also known as _"signing is easy, |
| 8 | 8 | verifying is hard"_). |
| 9 | 9 | |
| 10 | 10 | Fossil neither creates nor verifies signatures by itself, instead relying on |
| 11 | -external tools that have to be installed side-by-side. | |
| 12 | -Historically, the most used tool for this task was [GnuPG](https://gnupg.org); | |
| 13 | -recently there has been an increase in the usage of | |
| 14 | -[OpenSSH](https://openssh.com) for this (the minimum required version is 8.1, | |
| 15 | -released on 2019-10-09). | |
| 11 | +external tools that have to be installed side-by-side. Historically, the tool | |
| 12 | +most employed for this task was [GnuPG](https://gnupg.org); recently, there has | |
| 13 | +been an increase in the usage of [OpenSSH](https://openssh.com) (the minimum | |
| 14 | +required version is 8.1, released on 2019-10-09). | |
| 16 | 15 | |
| 17 | 16 | ## Signing a check-in |
| 18 | 17 | |
| 19 | -When the `clearsign` setting is on, every check-in will be signed | |
| 18 | +The `clearsign` setting must be on; this will cause every check-in to be signed | |
| 20 | 19 | (unless you provide the `--nosign` flag to `fossil commit`). To this end, |
| 21 | 20 | Fossil calls the command given by the `pgp-command` setting. |
| 22 | 21 | |
| 23 | 22 | Fossil needs a non-detached signature that includes the rest of the usual |
| 24 | 23 | manifest. For GnuPG, this is no problem, but OpenSSH can currently (2024, |
| @@ -34,11 +33,11 @@ | ||
| 34 | 33 | (A possible interesting option to `gpg --clearsign` is `-u`, to specify the |
| 35 | 34 | user to be used for signing.) |
| 36 | 35 | |
| 37 | 36 | ### OpenSSH |
| 38 | 37 | |
| 39 | -A good value for `pgp-command` is | |
| 38 | +A reasonable value for `pgp-command` is | |
| 40 | 39 | |
| 41 | 40 | ``` |
| 42 | 41 | ssh-keygen -q -Y sign -n fossilscm -f ~/.ssh/id_ed25519 |
| 43 | 42 | ``` |
| 44 | 43 | |
| @@ -56,11 +55,11 @@ | ||
| 56 | 55 | |
| 57 | 56 | |
| 58 | 57 | ## Verifying a signature |
| 59 | 58 | |
| 60 | 59 | Fossil does not provide an internal method for verifying signatures and |
| 61 | -relies - like it does for signing - on external tools. | |
| 60 | +relies – like it does for signing – on external tools. | |
| 62 | 61 | |
| 63 | 62 | ### GnuPG |
| 64 | 63 | |
| 65 | 64 | Assuming you used the |
| 66 | 65 | default GPG command for signing, one can verify the signature using |
| @@ -85,11 +84,11 @@ | ||
| 85 | 84 | #### For Linux: |
| 86 | 85 | |
| 87 | 86 | ```bash |
| 88 | 87 | fsig=$(mktemp /tmp/__fsig.XXXXXX) && \ |
| 89 | 88 | fusr=$(fossil artifact <CHECK-IN> | awk -v m="${fsig}" -v s="${fsig}.sig" '/^-----BEGIN SSH SIGNED/{of=m;next} /^-----BEGIN SSH SIGNATURE/{of=s} /^U /{usr=$2} /./{if(!of){exit 42};print >> of} END{print usr}') && \ |
| 90 | -ssh-keygen -Y verify -f ~/.ssh/allowed_signers -I ${fusr} -n fossilscm -s "${fsig}.sig" < "${fsig}" > /dev/null 2>&1 || echo "No SSH signed check-in" && \ | |
| 89 | +ssh-keygen -Y verify -f ~/.ssh/allowed_signers -I ${fusr} -n fossilscm -s "${fsig}.sig" < "${fsig}" || echo "No SSH signed check-in" && \ | |
| 91 | 90 | rm -f "${fsig}.sig" "${fsig}" && \ |
| 92 | 91 | unset -v fsig fusr |
| 93 | 92 | ``` |
| 94 | 93 | |
| 95 | 94 | #### For Windows (cmd): |
| 96 | 95 |
| --- www/signing.md | |
| +++ www/signing.md | |
| @@ -1,24 +1,23 @@ | |
| 1 | # Signing Check-ins |
| 2 | |
| 3 | Fossil can sign check-in manifests. A basic concept in public-key |
| 4 | cryptography, signing can bring some advantages such as authentication and |
| 5 | non-repudiation. In practice, a serious obstacle is the public key |
| 6 | infrastructure - that is, the problem of reliably verifying that a given |
| 7 | public key belongs to its supposed owner (also known as _"signing is easy, |
| 8 | verifying is hard"_). |
| 9 | |
| 10 | Fossil neither creates nor verifies signatures by itself, instead relying on |
| 11 | external tools that have to be installed side-by-side. |
| 12 | Historically, the most used tool for this task was [GnuPG](https://gnupg.org); |
| 13 | recently there has been an increase in the usage of |
| 14 | [OpenSSH](https://openssh.com) for this (the minimum required version is 8.1, |
| 15 | released on 2019-10-09). |
| 16 | |
| 17 | ## Signing a check-in |
| 18 | |
| 19 | When the `clearsign` setting is on, every check-in will be signed |
| 20 | (unless you provide the `--nosign` flag to `fossil commit`). To this end, |
| 21 | Fossil calls the command given by the `pgp-command` setting. |
| 22 | |
| 23 | Fossil needs a non-detached signature that includes the rest of the usual |
| 24 | manifest. For GnuPG, this is no problem, but OpenSSH can currently (2024, |
| @@ -34,11 +33,11 @@ | |
| 34 | (A possible interesting option to `gpg --clearsign` is `-u`, to specify the |
| 35 | user to be used for signing.) |
| 36 | |
| 37 | ### OpenSSH |
| 38 | |
| 39 | A good value for `pgp-command` is |
| 40 | |
| 41 | ``` |
| 42 | ssh-keygen -q -Y sign -n fossilscm -f ~/.ssh/id_ed25519 |
| 43 | ``` |
| 44 | |
| @@ -56,11 +55,11 @@ | |
| 56 | |
| 57 | |
| 58 | ## Verifying a signature |
| 59 | |
| 60 | Fossil does not provide an internal method for verifying signatures and |
| 61 | relies - like it does for signing - on external tools. |
| 62 | |
| 63 | ### GnuPG |
| 64 | |
| 65 | Assuming you used the |
| 66 | default GPG command for signing, one can verify the signature using |
| @@ -85,11 +84,11 @@ | |
| 85 | #### For Linux: |
| 86 | |
| 87 | ```bash |
| 88 | fsig=$(mktemp /tmp/__fsig.XXXXXX) && \ |
| 89 | fusr=$(fossil artifact <CHECK-IN> | awk -v m="${fsig}" -v s="${fsig}.sig" '/^-----BEGIN SSH SIGNED/{of=m;next} /^-----BEGIN SSH SIGNATURE/{of=s} /^U /{usr=$2} /./{if(!of){exit 42};print >> of} END{print usr}') && \ |
| 90 | ssh-keygen -Y verify -f ~/.ssh/allowed_signers -I ${fusr} -n fossilscm -s "${fsig}.sig" < "${fsig}" > /dev/null 2>&1 || echo "No SSH signed check-in" && \ |
| 91 | rm -f "${fsig}.sig" "${fsig}" && \ |
| 92 | unset -v fsig fusr |
| 93 | ``` |
| 94 | |
| 95 | #### For Windows (cmd): |
| 96 |
| --- www/signing.md | |
| +++ www/signing.md | |
| @@ -1,24 +1,23 @@ | |
| 1 | # Signing Check-ins |
| 2 | |
| 3 | Fossil can sign check-in manifests. A basic concept in public-key |
| 4 | cryptography, signing can bring some advantages such as authentication and |
| 5 | non-repudiation. In practice, a serious obstacle is the public key |
| 6 | infrastructure – that is, the problem of reliably verifying that a given |
| 7 | public key belongs to its supposed owner (also known as _"signing is easy, |
| 8 | verifying is hard"_). |
| 9 | |
| 10 | Fossil neither creates nor verifies signatures by itself, instead relying on |
| 11 | external tools that have to be installed side-by-side. Historically, the tool |
| 12 | most employed for this task was [GnuPG](https://gnupg.org); recently, there has |
| 13 | been an increase in the usage of [OpenSSH](https://openssh.com) (the minimum |
| 14 | required version is 8.1, released on 2019-10-09). |
| 15 | |
| 16 | ## Signing a check-in |
| 17 | |
| 18 | The `clearsign` setting must be on; this will cause every check-in to be signed |
| 19 | (unless you provide the `--nosign` flag to `fossil commit`). To this end, |
| 20 | Fossil calls the command given by the `pgp-command` setting. |
| 21 | |
| 22 | Fossil needs a non-detached signature that includes the rest of the usual |
| 23 | manifest. For GnuPG, this is no problem, but OpenSSH can currently (2024, |
| @@ -34,11 +33,11 @@ | |
| 33 | (A possible interesting option to `gpg --clearsign` is `-u`, to specify the |
| 34 | user to be used for signing.) |
| 35 | |
| 36 | ### OpenSSH |
| 37 | |
| 38 | A reasonable value for `pgp-command` is |
| 39 | |
| 40 | ``` |
| 41 | ssh-keygen -q -Y sign -n fossilscm -f ~/.ssh/id_ed25519 |
| 42 | ``` |
| 43 | |
| @@ -56,11 +55,11 @@ | |
| 55 | |
| 56 | |
| 57 | ## Verifying a signature |
| 58 | |
| 59 | Fossil does not provide an internal method for verifying signatures and |
| 60 | relies – like it does for signing – on external tools. |
| 61 | |
| 62 | ### GnuPG |
| 63 | |
| 64 | Assuming you used the |
| 65 | default GPG command for signing, one can verify the signature using |
| @@ -85,11 +84,11 @@ | |
| 84 | #### For Linux: |
| 85 | |
| 86 | ```bash |
| 87 | fsig=$(mktemp /tmp/__fsig.XXXXXX) && \ |
| 88 | fusr=$(fossil artifact <CHECK-IN> | awk -v m="${fsig}" -v s="${fsig}.sig" '/^-----BEGIN SSH SIGNED/{of=m;next} /^-----BEGIN SSH SIGNATURE/{of=s} /^U /{usr=$2} /./{if(!of){exit 42};print >> of} END{print usr}') && \ |
| 89 | ssh-keygen -Y verify -f ~/.ssh/allowed_signers -I ${fusr} -n fossilscm -s "${fsig}.sig" < "${fsig}" || echo "No SSH signed check-in" && \ |
| 90 | rm -f "${fsig}.sig" "${fsig}" && \ |
| 91 | unset -v fsig fusr |
| 92 | ``` |
| 93 | |
| 94 | #### For Windows (cmd): |
| 95 |