Re: [RFC] Authenticate push via PGP signature, not SSH

["Shawn O. Pearce" <spearce@spearce.org>]

Sam Vilain <sam@vilain.net> wrote:
> Shawn O. Pearce wrote:
> > I just read the GnuPG manual and you are obviously correct.  The only
> > way to get GnuPG to process a key is to load it onto a keyring.
> > We could extract the armored (or binary) public key and load it
> > onto a temporary keyring created just for the purpose of verifying
> > this connection, but that's rather messy.
> 
> It should be fine just to throw the lot into a single keyring, and just
> check which key verified it after the fact and whether that key was allowed.
> 
> The Perl Crypt::OpenPGP module doesn't suffer from this problem (and is
> performant), though it suffers from a dependency stack that will hurt
> everyone except Debian users ;-).

Heh.  One of my Gentoo boxes seems to claim this would be an easier
emerge than the Qt3 emerge that it keeps trying to do, and failing,
for the past week and a half.  But yea, I don't have half the stuff
its asking for installed.
 
> >> $ gpg --keyring path/to/the/keyring.gpg --quiet --batch --status-fd 1 --verify some-file.tar.gz.gpg 2>|/dev/null
> >> [GNUPG:] SIG_ID dw0VliO0DFjOQA3HUSHijYekQYY 2008-01-29 1201633002
> >> [GNUPG:] GOODSIG BC6AFB5BA1EE761C Pierre Habouzit <pierre.habouzit@polytechnique.edu>
> >> [GNUPG:] VALIDSIG 72B4C59ADA78D70E055C129EBC6AFB5BA1EE761C 2008-01-29 1201633002 0 3 0 17 2 00 72B4C59ADA78D70E055C129EBC6AFB5BA1EE761C
> ^^^ there GPG just told you which key was used.

Yup.  I think that's what we'll have to do.  But managing the keyring
is (I think) something we need to solve.  It should be able to be
done remotely, assuming you have authority, and ideally through
standard Git channels.

If we're going to the trouble of effectively replacing SSH for
authenticated Git object push (at least for stuff that is open
source and thus doesn't require privacy during upload) we might
as well make sure it can actually be managed too.

-- 
Shawn.