From: "brian m. carlson" <sandals@crustytoothpaste•net>
To: Marrold <kamailio@marrold•co.uk>
Cc: git@vger•kernel.org
Subject: Re: Git Commit Signing
Date: Thu, 3 Apr 2025 22:08:19 +0000 [thread overview]
Message-ID: <Z-8G025UUC3KpRjw@tapette.crustytoothpaste.net> (raw)
In-Reply-To: <CAC-Lcd-=_dVmyy0x9N+5ap4h7UQrfkVpJaCtZnoMrkxabVR1dg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3223 bytes --]
On 2025-04-03 at 20:41:47, Marrold wrote:
> Hi all,
>
> I'm attempting to manually verify git commits signed with SSH keys
> using python, however verifying commits consistently fails, no matter
> what I try.
>
> The python verification logic has been tested against signatures
> produced with ssh-keygen and confirmed to be working.
>
> I suspect I'm constructing the message incorrectly to check against
> the signature. As far as I know, the message should look like this,
> with the gpgsig section removed.
>
> tree ff5ee8caaf2893a79711151b2937130469d83d39
> parent 3e84a21590a5ad714d168878abc95218d0e42cac
> author Matthew H <git@marrold•co.uk> 1743454803 +0100
> committer Matthew H <git@marrold•co.uk> 1743454803 +0100
>
> Commit message
>
> Could someone point me in the right direction? I'm wondering if its
> hashed or encoded prior to signing
The message is not hashed or encoded. It is exactly the same object as
the regular commit except without the `gpgsig` or `gpgsig-sha256`
header. Note that that header has continuation lines starting with a
space that are also excluded.
So if we take this commit at the tip of my dotfiles:
----
tree 81c2ccabf6c21c811da7c7f1ecc0dd2019ebf2a2
parent 760a2559269f6acccd1d696cbfc2447d33447e1c
author brian m. carlson <sandals@crustytoothpaste•net> 1743470407 +0000
committer brian m. carlson <sandals@crustytoothpaste•net> 1743470407 +0000
gpgsig -----BEGIN PGP SIGNATURE-----
wr0EABYKAG8FgmfrP2QJEHwMSWKIh6KBRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z
LnNlcXVvaWEtcGdwLm9yZ+07Eq2NxeydVlLrWYwgP09Iw8vhBE/bPFShPSulPcqa
FiEECCzmip28ZfuD0cORfAxJYoiHooEAAJAwAQDtYPttuP1LW9ZqyWuGNM4epDNm
3IyV2nezfAXxvVkB3wEAsk5U8d3Pq4GHNtE/QMc5FQ0uyI7FThHryBF6HYoLyAY=
=ZROA
-----END PGP SIGNATURE-----
vimrc: enable virtual text in Neovim
In Neovim 0.11, virtual text is disabled by default. Since we'd like to
use it if it's available, enable it explicitly. If it's not available,
then the option will be ignored.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste•net>
----
then the commit body that's subject to verification is this:
----
tree 81c2ccabf6c21c811da7c7f1ecc0dd2019ebf2a2
parent 760a2559269f6acccd1d696cbfc2447d33447e1c
author brian m. carlson <sandals@crustytoothpaste•net> 1743470407 +0000
committer brian m. carlson <sandals@crustytoothpaste•net> 1743470407 +0000
vimrc: enable virtual text in Neovim
In Neovim 0.11, virtual text is disabled by default. Since we'd like to
use it if it's available, enable it explicitly. If it's not available,
then the option will be ignored.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste•net>
----
There can definitely be extra headers in the commit, so you can't assume
it will always be just those, nor can you assume that the headers
(including the signature header) will be in any particular order.
Do you have an example commit, key, and command line invocation that you
can show us to help pinpoint the problem? I ask because ssh-keygen
doesn't exactly present the most intuitive interface and it's easy to
make a mistake in invocation.
--
brian m. carlson (they/them)
Toronto, Ontario, CA
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]
prev parent reply other threads:[~2025-04-03 22:08 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-03 20:41 Git Commit Signing Marrold
2025-04-03 22:08 ` brian m. carlson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z-8G025UUC3KpRjw@tapette.crustytoothpaste.net \
--to=sandals@crustytoothpaste$(echo .)net \
--cc=git@vger$(echo .)kernel.org \
--cc=kamailio@marrold$(echo .)co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox