mirror of
https://github.com/git/git.git
synced 2024-04-28 13:15:10 +02:00
facca53ac3
To verify a ssh signature we first call ssh-keygen -Y find-principal to look up the signing principal by their public key from the allowedSignersFile. If the key is found then we do a verify. Otherwise we only validate the signature but can not verify the signers identity. Verification uses the gpg.ssh.allowedSignersFile (see ssh-keygen(1) "ALLOWED SIGNERS") which contains valid public keys and a principal (usually user@domain). Depending on the environment this file can be managed by the individual developer or for example generated by the central repository server from known ssh keys with push access. This file is usually stored outside the repository, but if the repository only allows signed commits/pushes, the user might choose to store it in the repository. To revoke a key put the public key without the principal prefix into gpg.ssh.revocationKeyring or generate a KRL (see ssh-keygen(1) "KEY REVOCATION LISTS"). The same considerations about who to trust for verification as with the allowedSignersFile apply. Using SSH CA Keys with these files is also possible. Add "cert-authority" as key option between the principal and the key to mark it as a CA and all keys signed by it as valid for this CA. See "CERTIFICATES" in ssh-keygen(1). Signed-off-by: Fabian Stelzer <fs@gigacodes.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
77 lines
3.6 KiB
Plaintext
77 lines
3.6 KiB
Plaintext
gpg.program::
|
|
Use this custom program instead of "`gpg`" found on `$PATH` when
|
|
making or verifying a PGP signature. The program must support the
|
|
same command-line interface as GPG, namely, to verify a detached
|
|
signature, "`gpg --verify $signature - <$file`" is run, and the
|
|
program is expected to signal a good signature by exiting with
|
|
code 0, and to generate an ASCII-armored detached signature, the
|
|
standard input of "`gpg -bsau $key`" is fed with the contents to be
|
|
signed, and the program is expected to send the result to its
|
|
standard output.
|
|
|
|
gpg.format::
|
|
Specifies which key format to use when signing with `--gpg-sign`.
|
|
Default is "openpgp". Other possible values are "x509", "ssh".
|
|
|
|
gpg.<format>.program::
|
|
Use this to customize the program used for the signing format you
|
|
chose. (see `gpg.program` and `gpg.format`) `gpg.program` can still
|
|
be used as a legacy synonym for `gpg.openpgp.program`. The default
|
|
value for `gpg.x509.program` is "gpgsm" and `gpg.ssh.program` is "ssh-keygen".
|
|
|
|
gpg.minTrustLevel::
|
|
Specifies a minimum trust level for signature verification. If
|
|
this option is unset, then signature verification for merge
|
|
operations require a key with at least `marginal` trust. Other
|
|
operations that perform signature verification require a key
|
|
with at least `undefined` trust. Setting this option overrides
|
|
the required trust-level for all operations. Supported values,
|
|
in increasing order of significance:
|
|
+
|
|
* `undefined`
|
|
* `never`
|
|
* `marginal`
|
|
* `fully`
|
|
* `ultimate`
|
|
|
|
gpg.ssh.defaultKeyCommand:
|
|
This command that will be run when user.signingkey is not set and a ssh
|
|
signature is requested. On successful exit a valid ssh public key is
|
|
expected in the first line of its output. To automatically use the first
|
|
available key from your ssh-agent set this to "ssh-add -L".
|
|
|
|
gpg.ssh.allowedSignersFile::
|
|
A file containing ssh public keys which you are willing to trust.
|
|
The file consists of one or more lines of principals followed by an ssh
|
|
public key.
|
|
e.g.: user1@example.com,user2@example.com ssh-rsa AAAAX1...
|
|
See ssh-keygen(1) "ALLOWED SIGNERS" for details.
|
|
The principal is only used to identify the key and is available when
|
|
verifying a signature.
|
|
+
|
|
SSH has no concept of trust levels like gpg does. To be able to differentiate
|
|
between valid signatures and trusted signatures the trust level of a signature
|
|
verification is set to `fully` when the public key is present in the allowedSignersFile.
|
|
Therefore to only mark fully trusted keys as verified set gpg.minTrustLevel to `fully`.
|
|
Otherwise valid but untrusted signatures will still verify but show no principal
|
|
name of the signer.
|
|
+
|
|
This file can be set to a location outside of the repository and every developer
|
|
maintains their own trust store. A central repository server could generate this
|
|
file automatically from ssh keys with push access to verify the code against.
|
|
In a corporate setting this file is probably generated at a global location
|
|
from automation that already handles developer ssh keys.
|
|
+
|
|
A repository that only allows signed commits can store the file
|
|
in the repository itself using a path relative to the top-level of the working tree.
|
|
This way only committers with an already valid key can add or change keys in the keyring.
|
|
+
|
|
Using a SSH CA key with the cert-authority option
|
|
(see ssh-keygen(1) "CERTIFICATES") is also valid.
|
|
|
|
gpg.ssh.revocationFile::
|
|
Either a SSH KRL or a list of revoked public keys (without the principal prefix).
|
|
See ssh-keygen(1) for details.
|
|
If a public key is found in this file then it will always be treated
|
|
as having trust level "never" and signatures will show as invalid.
|