[fossil-users] 'signing' in fossil...
Q: what does it do, and how is it used, when would one want that in their workflow or not? I'm thoroughly versed in crypto in general, but I don't understand it's use in the fossil workflow. Any feedback is appreciated, and if I have overlooked some existing doc, by all means direct me to it with a link, or whatever as apropos. Thanks! -dave ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] 'signing' in fossil...
On Fri, Oct 10, 2014 at 11:32 AM, dave d...@ziggurat29.com wrote: Q: what does it do, and how is it used, when would one want that in their workflow or not? I'm thoroughly versed in crypto in general, but I don't understand it's use in the fossil workflow. Any feedback is appreciated, and if I have overlooked some existing doc, by all means direct me to it with a link, or whatever as apropos. Important artifacts, such as the manifest that describes a check-in can be PGP clear-signed to prove that they really were created by somebody with access to the corresponding private key, and were not surreptitiously inserted by third party trying to subvert the organizations process. -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] 'signing' in fossil...
-Original Message- From: fossil-users-boun...@lists.fossil-scm.org [mailto:fossil-users-boun...@lists.fossil-scm.org] On Behalf Of Richard Hipp ... Fri, Oct 10, 2014 at 11:32 AM, dave d...@ziggurat29.com wrote: Q: what does it do, and how is it used, when would one want that in their workflow or not? I'm thoroughly versed in crypto in general, but I don't understand it's use in the fossil workflow. Any feedback is appreciated, and if I have overlooked some existing doc, by all means direct me to it with a link, or whatever as apropos. . .. Important artifacts, such as the manifest that describes a check-in can be PGP clear-signed to prove that they really were created by somebody with access to the corresponding private key, and were not surreptitiously inserted by third party trying to subvert the organizations process. ... Thanks; OK, well I guess I need to do some more reading so I can know what a 'manifest' is in this context, and then generate some more questions, such as 'where is the signature relative to the 'manifest' (or does it maybe make a pkcs7 out of the plaintext manifest), and how do I verify the signature', 'what is a 'clearsign'', etc. No need to answer those here now -- I'll try to smarten-up first; unless of course there is a link or something to existing documentation. -dave ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] 'signing' in fossil...
On Fri, Oct 10, 2014 at 12:05 PM, dave d...@ziggurat29.com wrote: Important artifacts, such as the manifest that describes a check-in can be PGP clear-signed ... Thanks; OK, well I guess I need to do some more reading so I can know what a 'manifest' is in this context, and then generate some more questions, such as 'where is the signature relative to the 'manifest' (or does it maybe make a pkcs7 out of the plaintext manifest), and how do I verify the signature', 'what is a 'clearsign'', etc. As a hint, here is an example of a clear-signed manifest: www.fossil-scm.org/fossil/artifact/95e17f4e3f Public keys can be checked into the repository so that anybody can verify the signature, if desired, though I've never done that for Fossil itself, that I recall. -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] 'signing' in fossil...
On Fri, Oct 10, 2014 at 6:05 PM, dave d...@ziggurat29.com wrote: Thanks; OK, well I guess I need to do some more reading so I can know what a 'manifest' is in this context, and manifest = formal checkout record. then generate some more questions, such as 'where is the signature relative to the 'manifest' (or does it maybe make a pkcs7 out of the plaintext manifest), and how do I verify the signature', 'what is a 'clearsign'', etc. The signature gets wrapper around the manifest, as shown in Richard's example. See also: http://fossil-scm.org/index.html/doc/trunk/www/fileformat.wiki Specifically, section 1.0. -- - stephan beal http://wanderinghorse.net/home/stephan/ http://gplus.to/sgbeal Freedom is sloppy. But since tyranny's the only guaranteed byproduct of those who insist on a perfect world, freedom will have to do. -- Bigby Wolf ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Signing
On Sat, May 26, 2012 at 2:30 PM, Gé Weijers g...@weijers.org wrote: When I sign a commit, it can mean multiple things: 1) I wrote this (authentication) 2) I approve this (authorization) In case 1, we have a one-to-one and immutable correspondence between signature and commit artifact. This signature is the one used to pin the blame on someone if you find a backdoor in the code :-( In case 2, there can be multiple signatures, some after the fact. These could be used to keep track of code reviews and/or manager approvals. Now If I'm signing your type 2 signature, what does that actually mean? I approve of you approving this? Signing type 1 signatures is just the 'authorization' type signature. Yes, it would be an additional level of aproval. But that's a process concern. Allow signing other signatures enables more types of processes. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Signing
On Fri, May 25, 2012 at 10:59 AM, Ron Wilson ronw.m...@gmail.com wrote: On top of that, could support signing one or more of the existing signatures at the time of signing. When I sign a commit, it can mean multiple things: 1) I wrote this (authentication) 2) I approve this (authorization) In case 1, we have a one-to-one and immutable correspondence between signature and commit artifact. This signature is the one used to pin the blame on someone if you find a backdoor in the code :-( In case 2, there can be multiple signatures, some after the fact. These could be used to keep track of code reviews and/or manager approvals. Now If I'm signing your type 2 signature, what does that actually mean? I approve of you approving this? Signing type 1 signatures is just the 'authorization' type signature. -- Gé ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Signing
On Sat, May 26, 2012 at 11:30:01AM -0700, Gé Weijers wrote: On Fri, May 25, 2012 at 10:59 AM, Ron Wilson ronw.m...@gmail.com wrote: On top of that, could support signing one or more of the existing signatures at the time of signing. When I sign a commit, it can mean multiple things: 1) I wrote this (authentication) 2) I approve this (authorization) In case 1, we have a one-to-one and immutable correspondence between signature and commit artifact. This signature is the one used to pin the blame on someone if you find a backdoor in the code :-( In case 2, there can be multiple signatures, some after the fact. These could be used to keep track of code reviews and/or manager approvals. Now If I'm signing your type 2 signature, what does that actually mean? I approve of you approving this? Signing type 1 signatures is just the 'authorization' type signature. Well, you can always have different signers and multiple signatures. One for authentication, one for authorisation. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Signing
On 5/23/12, Lluís Batlle i Rossell vi...@viric.name wrote: But what would you sign? The original tree? Comment updates? Tags? Dates? All until some point? What on later changes to the checkin? To answer your last question, you can only sign what exists at the time of the signing. In the simplest case, just sign the Manifest artifact. Each signature would be a Control artifact with a Signature tag, a Singer tag and a Signer-comment tag, both refering to the Manifest artifact (or maybe Signer-comment references its containing artifact). The signature would be on the Manifest artifact, the Signer, the signing date and the signer comment. Any number of signatures could be applied to the Manifest. On top of that, could support signing one or more of the existing signatures at the time of signing. For simplicity, a signature Control Artifact would only contain a single set of signing tags and refer to only a single Manifest and the list of other signatures for the same Manifest that are being over signed. This way the entire target artifacts could be signed If we then want to include other tags, I would suggest that the signing artifact include the tages (and their values) being signed. This way, the signer can simply view the effective tag values, optionally edit them, then submit the signature including the approved tags and values. Unfortunately, signing tags then creates 2 classes of tags and associated complications. When fetching the contents of a commit, it should be moderately easy to choose by querying on the signer., or pressence of a signature. However, Fossil propagates tags based on most recent. Even simply selecting on most recently signed would likely add a very significant amount of complexity. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Signing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/22/2012 12:11 PM, Lluís Batlle i Rossell wrote: No, that modifies a commit, isn't it? Rereading _Pro Git_, it modifies the commit message, and optionally the commit itself. Sorry. - -- The Doctor [412/724/301/703] [ZS] PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Self-modifying code: Just because you can doesn't mean that you should. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+89rUACgkQO9j/K4B7F8FzegCdH8uVuAJhM3oYoxv1egJK+ajw bi0AnA0J/sJAXC2s+A3b/OuGa0gOKh4M =gl95 -END PGP SIGNATURE- ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Signing
On 5/22/12, Lluís Batlle i Rossell vi...@viric.name wrote: Yes, and there also appears a bit of discussion on what to sign. We may want to sign, among some: - The tree of files of a specific checkin (signing the checkin hash is enough) - The tree + comment + date + tags... that would mean a set of artifacts. I think the most flexible operation would be to sign a set of artifacts, but I've no idea how that can later be workable as in checking signatures. One thing that I hope Fossil will do better than git is to allow additional signatures on a commit without invalidating any of the signatures (the git horror story claims that you can't sign an already signed commit because signing modifies the commit). Idealy, it should be possible for each signature to either sign the actual commit or to sign the commit plus existing signatures (at the time of signing). This way, the commitor can sign off on her/his code changes and approvers can sign off not only the code changes, but also the signatures of the commitor and other approvers. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Signing
On Wed, May 23, 2012 at 12:29:09PM -0400, Ron Wilson wrote: On 5/22/12, Lluís Batlle i Rossell vi...@viric.name wrote: Yes, and there also appears a bit of discussion on what to sign. We may want to sign, among some: - The tree of files of a specific checkin (signing the checkin hash is enough) - The tree + comment + date + tags... that would mean a set of artifacts. I think the most flexible operation would be to sign a set of artifacts, but I've no idea how that can later be workable as in checking signatures. One thing that I hope Fossil will do better than git is to allow additional signatures on a commit without invalidating any of the signatures (the git horror story claims that you can't sign an already signed commit because signing modifies the commit). Idealy, it should be possible for each signature to either sign the actual commit or to sign the commit plus existing signatures (at the time of signing). This way, the commitor can sign off on her/his code changes and approvers can sign off not only the code changes, but also the signatures of the commitor and other approvers. But what would you sign? The original tree? Comment updates? Tags? Dates? All until some point? What on later changes to the checkin? ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Signing
On Wed, May 23, 2012 at 6:35 PM, Lluís Batlle i Rossell vi...@viric.namewrote: But what would you sign? The original tree? Comment updates? Tags? Dates? All until some point? What on later changes to the checkin? This is possibly a very naive question (i know painfully little about cryptography), but can a signature not simply be applied (non-invasively) to any given artifact ID, and then be compared later to the current contents of the referenced artifact? i.e. the signing being separate from (but dependent on) the artifact table data? This implies that the contents could still be tampered with, and could be used by the client, and that tampering would/could be revealed if the keys associated with the artifact are checked and fail to compare (logically an extra step, but i assume it would/could be integrated into the checkout process). :-? -- - stephan beal http://wanderinghorse.net/home/stephan/ http://gplus.to/sgbeal ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Signing
On Wed, May 23, 2012 at 06:40:28PM +0200, Stephan Beal wrote: On Wed, May 23, 2012 at 6:35 PM, Lluís Batlle i Rossell vi...@viric.namewrote: But what would you sign? The original tree? Comment updates? Tags? Dates? All until some point? What on later changes to the checkin? This is possibly a very naive question (i know painfully little about cryptography), but can a signature not simply be applied (non-invasively) to any given artifact ID, and then be compared later to the current contents of the referenced artifact? i.e. the signing being separate from (but dependent on) the artifact table data? This implies that the contents could still be tampered with, and could be used by the client, and that tampering would/could be revealed if the keys associated with the artifact are checked and fail to compare (logically an extra step, but i assume it would/could be integrated into the checkout process). That's what I proposed, signing *groups of* artifact IDs (and storing the signatures in artifacts IDs apart). But how to choose the artifacts in the group? How to determine easily the group of artifacts someone wants to sign? This is more an interface question. And then, what to do when a checkin final view (comments, tags, ...) has part of artifacts signed, and part not? Monotone has very clear rules about what to do with signatures, partial signatures regarding checkins, etc. It's all modeled around that. I'd like something, even if not that integrated into the usage, acceptable in fossil in terms of trust. Even the git style of signing a tag is quite good and simple at once, and for the limits of git, it's very specific on what it signs. Fossil has much broader information to sign or trust, even for every checkin. Regards, Lluís. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] Signing
Hello, in fossil, can I sign check-ins *after* having done the checkin, as we can edit commit logs, etc? If not, it would be very nice. Regards, Lluís. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Signing
On Tue, May 22, 2012 at 10:33 AM, Lluís Batlle i Rossell vi...@viric.namewrote: Hello, in fossil, can I sign check-ins *after* having done the checkin, as we can edit commit logs, etc? If not, it would be very nice. That is not a capability right now. But there are previsions in the file format to add this kind of thing, by creating a new kind of tag or property that specifies the signature. Regards, Lluís. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Signing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/22/2012 10:35 AM, Richard Hipp wrote: That is not a capability right now. But there are previsions in the file format to add this kind of thing, by creating a new kind of tag or property that specifies the signature. In other words, functionality similar to `git commit --amend`? - -- The Doctor [412/724/301/703] [ZS] PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ SERVER forgives. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+7ul0ACgkQO9j/K4B7F8H5yQCfa1byHSO4wmSDlqys/IfUGl7X mogAn3zDpsvozAzRjV9ETrDKbmmOopiZ =5GCB -END PGP SIGNATURE- ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Signing
On Tue, May 22, 2012 at 12:10:05PM -0400, The Doctor wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/22/2012 10:35 AM, Richard Hipp wrote: That is not a capability right now. But there are previsions in the file format to add this kind of thing, by creating a new kind of tag or property that specifies the signature. In other words, functionality similar to `git commit --amend`? No, that modifies a commit, isn't it? ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Signing
On Tue, May 22, 2012 at 12:10 PM, The Doctor dr...@virtadpt.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/22/2012 10:35 AM, Richard Hipp wrote: That is not a capability right now. But there are previsions in the file format to add this kind of thing, by creating a new kind of tag or property that specifies the signature. In other words, functionality similar to `git commit --amend`? It would be theoretically possible to amend a commit, as long as you have not pushed it out to other repositories. But after it is pushed, it is in the system so to speak, and cannot be recalled. Note also that, unlike git, the default action of Fossil is to automatically push after commit. So by default this would never work in Fossil. Only if you disabled autosync would amending a commit ever be an option. - -- The Doctor [412/724/301/703] [ZS] PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ SERVER forgives. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+7ul0ACgkQO9j/K4B7F8H5yQCfa1byHSO4wmSDlqys/IfUGl7X mogAn3zDpsvozAzRjV9ETrDKbmmOopiZ =5GCB -END PGP SIGNATURE- ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Signing
On Tue, May 22, 2012 at 01:21:31PM -0400, Richard Hipp wrote: On Tue, May 22, 2012 at 12:10 PM, The Doctor dr...@virtadpt.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/22/2012 10:35 AM, Richard Hipp wrote: That is not a capability right now. But there are previsions in the file format to add this kind of thing, by creating a new kind of tag or property that specifies the signature. In other words, functionality similar to `git commit --amend`? It would be theoretically possible to amend a commit, as long as you have not pushed it out to other repositories. But after it is pushed, it is in the system so to speak, and cannot be recalled. Note also that, unlike git, the default action of Fossil is to automatically push after commit. So by default this would never work in Fossil. Only if you disabled autosync would amending a commit ever be an option. Monotone can sign any given commit without 'changing' it, and I'd expect fossil to be able to do something similar. I felt the need of signing in fossil after a friend showed me this article: http://mikegerwitz.com/docs/git-horror-story.html Regards, Lluís. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Signing
On Tue, May 22, 2012 at 2:28 PM, Lluís Batlle i Rossell vi...@viric.namewrote: Monotone can sign any given commit without 'changing' it, and I'd expect fossil to be able to do something similar. Correct. The file format is designed to support this. But the actual need has never come up so I have never gotten around to putting the necessary logic into the fossil.exe binary. You wanna try your hand at contributing a patch? -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Signing
On Tue, May 22, 2012 at 02:39:05PM -0400, Richard Hipp wrote: On Tue, May 22, 2012 at 2:28 PM, Lluís Batlle i Rossell vi...@viric.namewrote: Monotone can sign any given commit without 'changing' it, and I'd expect fossil to be able to do something similar. Correct. The file format is designed to support this. But the actual need has never come up so I have never gotten around to putting the necessary logic into the fossil.exe binary. You wanna try your hand at contributing a patch? It is still not high in my priority list. :) I wanted some fossil features before, like having the 'attachments' text shown next to the attachment file names, or having text search features. But it may happen than I get more paranoid and end up wanting the signing, who knows. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Signing
On Tue, May 22, 2012 at 12:27:49PM -0700, Andreas Kupries wrote: On 5/22/2012 11:28 AM, Lluís Batlle i Rossell wrote: Monotone can sign any given commit without 'changing' it, and I'd expect fossil to be able to do something similar. I felt the need of signing in fossil after a friend showed me this article: http://mikegerwitz.com/docs/git-horror-story.html Some discussion about the article is at http://news.ycombinator.com/item?id=4007229 Yes, and there also appears a bit of discussion on what to sign. We may want to sign, among some: - The tree of files of a specific checkin (signing the checkin hash is enough) - The tree + comment + date + tags... that would mean a set of artifacts. I think the most flexible operation would be to sign a set of artifacts, but I've no idea how that can later be workable as in checking signatures. The monotone people have this part much better planned, I think. :) Regards, Lluís. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users