←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 4 comments | 13 Nov 21 09:13 UTC | HN request time: 0.213s | source
1. GauntletWizard ◴[13 Nov 21 10:03 UTC] No.29208733[source]
That's pretty interesting. To some extent, it was possible even before - Support for converting SSH RSA Keys to OpenSSL formats is old old, and you can use those to encrypt/decrypt or sign/verify arbitrary data via the openssl command. In fact, AWS uses this in their Windows instances, to encrypt the Administrator password[1]

Definitely will mean some interesting things for Git workflows, though. I've long been in favor of requiring every commit to be signed, and making that easy to enforce either in merges or push hooks. On the other hand, Linus is publicly against it[2], with good reasoning, though I don't think compelling enough reason[3].

Signing every commit would completely break the common pattern of handling merges centrally. Most companies, unlike kernel development, have a centralized server with a "trunk" and code review is done as part of that. Signing every commit with your SSH key would break that model, badly, but it could instead be an opportunity to improve the git tooling.

One of my favorite features of the now-defunct Phabricator was that you typically merged your commits with `arc land`, which a) squashed and annotated your merge with the Phabricator code review metadata and b) Deleted your branch. The latter was especially handy, but the former made code review great. Github and Gitlab can do the same as part of their UI, but it would be far better if it were nicely integrated with your existing git workflow, and this would be the opportunity to add prepush hooks to nicely integrate with hosting sites and code review tools.

[1]https://docs.aws.amazon.com/cli/latest/reference/ec2/get-pas... [2]https://web.archive.org/web/20201111174438/http://git.661346... - There has to be a better archive of this mailing list than the wayback machine. Searching for this, though, led me to my previous comment[3] [3] https://news.ycombinator.com/item?id=12291462

replies(2): >>29208929 #>>29209305 #
2. rkeene2 ◴[13 Nov 21 10:53 UTC] No.29208929[source]
Fossil [0] can sign every commit [1] (with GPG or S/MIME) and have merges performed centrally because it never modifies history.

Git can probably also do this for certain merge modes ? I'm not very familiar with how this works in Git.

[0] https://fossil-scm.org/

[1] https://fossil-scm.org/home/help?cmd=clearsign

replies(1): >>29208988 #
3. errcorrectcode ◴[13 Nov 21 11:08 UTC] No.29208988[source]
Git can sign commits and tags.
4. fstelzer ◴[13 Nov 21 12:29 UTC] No.29209305[source]
I think if you trust your maintainer/central tool enough to merge code from your developers then i think you can also trust them to verify all the commit signatures they receive and then resign the resulting merge right? After all they could simply create all the commits they want themselves right? The authors commit signature from before the merge will be lost. If you use signed tags though the merge will retain the initial signature on merge in the merge message.

btw. i am also a great fan of the phabricator workflow :)