Using PGP with GIT

(and why you should care)

Konstantin Ryabitsev

The Linux Foundation

kernel.org

LOL WAT, PGP?

Git is not a blockchain

  • YES "Chain"
  • NO: "Block"
  • Also NO: proof

git blame-someone-else

How much do you trust:

  • Your teammates?
  • Your bosses?
  • Other members of your FOSS project?
  • Administrators of GitHub?
    • ... of Microsoft?

Can push = can spoof

(certain conditions apply)

in 2011 kernel.org was breached

(but it's okay)

object 17b57b1883c1285f3d0dc2266e8f79286a7bef38
type commit
tag v4.19-rc6
tagger Greg Kroah-Hartman <gregkh@linuxfoundation.org> 1538318530 -0700

This is the 4.19-rc6 release
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAluw4MIACgkQONu9yGCS
[...]
=dMl4
-----END PGP SIGNATURE-----

git cat-file -p v4.19-rc6

what we've assured:

  1. object hash
  2. tag string
  3. tag message
tree 8985bd35269204c126b193d721cc260d740367fd
parent 9a10b063758c756a4d60d63acb890c27d03c9bef
author Greg Kroah-Hartman <gregkh@linuxfoundation.org> 1538316935 -0700
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org> 1538316935 -0700

Linux 4.19-rc6

git cat-file -p 17b57b18

what we've assured:

  1. tree hash
  2. parent commit hash
  3. author info
  4. committer info
  5. commit message
[...]
100644 blob da4cb28febe66172a9fdf1a235525ae6c00cde1d    COPYING
100644 blob 5befd2d714d0037548bed049a979dc4fcee1d300    CREDITS
040000 tree d573ed6502044d1cbc9860e3a34b7687652bfd9b    Documentation
100644 blob 00530420548225a8b26a36f504d9aa00468ddb42    Kbuild
[...]

git cat-file -p 8985bd35

what's in a tree hash?

what we've assured:

  1. contents of toplevel dir
    • (perms, types, sums, names)
  2. hashes of subdirs
    • (perms, types, sums, names)

Changing anything in a repository will result in a different tree hash

Changing anything about a commit (author, date, tree, etc) will result in a different
commit hash

Changing anything in the repository history (including adding/removing commits)
will result in a different
parent commit hash

signed git tags

When you sign a git tag, you create a cryptographic assurance that a cloned repository (and its entire history) are exactly, byte-for-byte, the same as on the developer's system.

git tag -s

Nature's immutable crypto chain

git commit -S

You can also sign commits:

  1. you can protect the entire tree by signing the tip commit
  2. useful when multiple people push into the same repository
  3. great for digital forensics
  4. also handy for people cherry-picking your commits

Protect your keys

You should treat your PGP keys as your developer's proof of identity:

  1. Store the master key offline
  2. Put the subkeys onto a hardware token
    1. Yubikey
    2. Nitrokey
    3. SmartCard

We have a handy doc!

https://github.com/lfit/itpol/

It covers all you need to know:

  • PGP basics and best practices
  • How to use PGP with Git
  • How to protect your developer accounts

https://github.com/lfit/itpol/

Thank you!

https://github.com/lfit/itpol/