Git-signatures – Multiple PGP signatures for your commits (opens in new tab)

(github.com)

75 pointsCouto7y ago14 comments

14 comments

drybjed7y ago

A similar idea was described in 2015: https://grimoire.ca/git/detached-sigs

Ayesh7y ago

Looks like a really cool approach for git-tag based release management in a CI level.

TIL about git-notes which looks pretty neat.

whoisthisfor7y ago

Is there anything out there that doesn't need GPG? Having a working GPG install is a huge lift for developers.

angry_octet7y ago

I take this to mean: apart from the barnacles on GPG, could there be a system which does what GPG does for software development (signing), without the non-functioning web-of-trust of GPG, or the hierarchical system of x509 signing? Something that deals with lost keys, compromised keys/accounts, loss of DNS control, MitMing, MitBing, etc?

I think it is probably in the class of problems where there are no great foolproof solutions. However, I can imagine that techniques like certificate transparency (all signed x509 certificates pushed to a shared log) would be quite useful. Even blockchain techniques. Maybe send someone to check on me, I'm feeling unwell having written that.

westurner7y ago

> I think it is probably in the class of problems where there are no great foolproof solutions. However, I can imagine that techniques like certificate transparency (all signed x509 certificates pushed to a shared log) would be quite useful.

Securing DNS: "https://news.ycombinator.com/item?id=19181362"

> Certs on the Blockchain: "Can we merge Certificate Transparency with blockchain?" https://news.ycombinator.com/item?id=18961724

> Namecoin (decentralized blockchain DNS): https://en.wikipedia.org/wiki/Namecoin

1 more reply

fwip7y ago

keybase.io is a really solid approach for trusting that a given key is owned by a certain person. Basically, it's a centralized registry to list your keys, and you can publish proof of key-ownership on any website/social media that you own. So anyone can look up my public key from my twitter or github, and know that they're both me.

Some people object to it because it lets you store your keys with them (encrypted with a passphrase), but that's always been optional.

1 more reply

whoisthisfor7y ago

https://goo.gl/images/Mww5SR

You read my mind. I'd love if it could be rooted in a Yubikey.

Decoupling the "signing" and "verifying" parts seem like a good idea. As random Person signs something, how someone else figures out how to go trust that signature is a separate problem.

2 more replies

hhanesand7y ago

If you’re on Mac, GPG Suite suite really simplifies things.

mdaniel7y ago

You mean some process other than `brew install gnupg`, or do you mean the silliness around generating and publishing a key (and, of course, later renewing the key)?

j / k navigate · click thread line to collapse

14 comments

drybjed7y ago

A similar idea was described in 2015: https://grimoire.ca/git/detached-sigs

Ayesh7y ago

Looks like a really cool approach for git-tag based release management in a CI level.

TIL about git-notes which looks pretty neat.

whoisthisfor7y ago

Is there anything out there that doesn't need GPG? Having a working GPG install is a huge lift for developers.

angry_octet7y ago

westurner7y ago

Securing DNS: "https://news.ycombinator.com/item?id=19181362"

> Certs on the Blockchain: "Can we merge Certificate Transparency with blockchain?" https://news.ycombinator.com/item?id=18961724

> Namecoin (decentralized blockchain DNS): https://en.wikipedia.org/wiki/Namecoin

1 more reply

fwip7y ago

Some people object to it because it lets you store your keys with them (encrypted with a passphrase), but that's always been optional.

1 more reply

whoisthisfor7y ago

https://goo.gl/images/Mww5SR

You read my mind. I'd love if it could be rooted in a Yubikey.

Decoupling the "signing" and "verifying" parts seem like a good idea. As random Person signs something, how someone else figures out how to go trust that signature is a separate problem.

2 more replies

hhanesand7y ago

If you’re on Mac, GPG Suite suite really simplifies things.

mdaniel7y ago

You mean some process other than `brew install gnupg`, or do you mean the silliness around generating and publishing a key (and, of course, later renewing the key)?

j / k navigate · click thread line to collapse