Author signature

Author signature

[Dimitri Sabadie]

[-- Attachment #1: Type: text/plain, Size: 1639 bytes --]

Hello!

I’ve moved away from the PR/MR git workflow to the email one and I’ve
been delighted by it. However, there is one thing that feels a bit like
a regression to me.

On the PR/MR workflow, if someone wants to contribute to my project,
they can simply make a couple of commits and open a “Pull Request” or
“Merge Request.” Once reviewed, I can decide to merge via several
options:

* Creating a merge commit.
* Rebasing their commits.
* Asking the UI of the (centralized) system (GitHub, GitLab, etc.) to do

Whatever is decided, the commits end up in my repository and the author
might have signed the commits and their signature is still there.

With the email workflow, from what I understand, `git am` has no way to
keep the signature of the author — and I have not found anything going
that direction with `git send-email` and `git format-patch`, and I think
that the reason why is because the commit is modified to introduce the
committer (committer being me here; the author being the contributor who
sent the patch), whence the commit SHA changes. The author signature is
simply dropped, and `git log --show-signature` only shows my GPG
signature; not the author’s anymore!

So… I was wondering: since we can only sign commits, is there any
way / work in progress to attach the author signature to a commit? To
me, it would make sense to have something hierarchical: the comitter
simply signs above what the author signed, and the author doesn’t sign
the whole commit (I guess?), since we want to be able to change the
commit hash.

What do you think?

Cheers,
Dimitri

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: Author signature

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 2204 bytes --]

On 2024-05-14 at 18:31:55, Dimitri Sabadie wrote:
> With the email workflow, from what I understand, `git am` has no way to
> keep the signature of the author — and I have not found anything going
> that direction with `git send-email` and `git format-patch`, and I think
> that the reason why is because the commit is modified to introduce the
> committer (committer being me here; the author being the contributor who
> sent the patch), whence the commit SHA changes. The author signature is
> simply dropped, and `git log --show-signature` only shows my GPG
> signature; not the author’s anymore!

`git send-email` does not send a signature, correct.  I've proposed an
approach to add such a signature in the past as part of a more general
series, but it hasn't been implemented.

> So… I was wondering: since we can only sign commits, is there any
> way / work in progress to attach the author signature to a commit? To
> me, it would make sense to have something hierarchical: the comitter
> simply signs above what the author signed, and the author doesn’t sign
> the whole commit (I guess?), since we want to be able to change the
> commit hash.

This is a great question.  I have seen previous requests for author and
committer signatures, or in general, multiple signatures (such as with
co-authors).  Git has only one signature field (well, two if you could
the one for the SHA-1 encoding and the SHA-256 encoding), but OpenPGP
does allow multiple signatures to be embedded in one ASCII-armored blob.

So it is in theory possible to take the author signature and _add_ a
committer signature and have both be valid, although this will change
the object ID of the commit.  However, Git doesn't support that right
now, although there's no reason it couldn't be added for OpenPGP.  I
don't know whether it's possible for X.509 to have multiple signatures,
and I don't get the impression that OpenSSH supports it (but haven't
checked).

I was doing some test work on this within the past week, and I have a
vague desire to implement such a thing, but no definitive plans at the
moment.
-- 
brian m. carlson (they/them or he/him)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: Author signature

[Konstantin Ryabitsev]

On Tue, May 14, 2024 at 07:51:52PM GMT, brian m. carlson wrote:
> > So… I was wondering: since we can only sign commits, is there any
> > way / work in progress to attach the author signature to a commit? To
> > me, it would make sense to have something hierarchical: the comitter
> > simply signs above what the author signed, and the author doesn’t sign
> > the whole commit (I guess?), since we want to be able to change the
> > commit hash.
> 
> This is a great question.  I have seen previous requests for author and
> committer signatures, or in general, multiple signatures (such as with
> co-authors).  Git has only one signature field (well, two if you could
> the one for the SHA-1 encoding and the SHA-256 encoding), but OpenPGP
> does allow multiple signatures to be embedded in one ASCII-armored 
> blob.

It's worth noting the gittuf work that was recently profiled on LWN [1].  
It does already integrate the concept of multiple signatures via in-toto 
attestations [2].

I feel like it's a better approach than overloading the currently 
implemented signature support.

-K

[1]: https://lwn.net/Articles/973217/
[2]: https://github.com/gittuf/gittuf/blob/main/docs/design-document.md#attestations

Re: Author signature

[Konstantin Ryabitsev]

On Tue, May 14, 2024 at 04:03:50PM GMT, Konstantin Ryabitsev wrote:
> [1]: https://lwn.net/Articles/973217/

Fixing the link:
https://lwn.net/Articles/972467/

(Unfortunately, it's still subscriber-only until 2 days from now.)

-K

Re: Author signature

[Dimitri Sabadie]

[-- Attachment #1: Type: text/plain, Size: 1334 bytes --]

On the other side, I just had another idea. What would be best to me
is to actually provide a _proof_ that at least the author acknowledges
the patch — whether he wrote it or not is another story and I don’t
think we can enforce that completely. The goal I want to achieve is that
if I send a patch via email, if the patch ends up committed by someone
else, I still want to be able to have a proof that “I wrote the patch.”

So assuming the committer is not of bad faith and doesn’t truncate my
git commit message… why not simply adding a “sign-off” like line at the
end of the commit, but instead of just putting a clear text that anyone
could tamper with, we would sign the date at which the commit was made?

For instance, I could have a git message like:

    Fix typo. 

  	-----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Tue Jun  4 02:49:26 PM CEST 2024
    -----BEGIN PGP SIGNATURE-----

    iHUEARYKAB0WIQRsmRqgbXp8KFc3mc6pQ4aopiUuywUCZl8NVgAKCRCpQ4aopiUu
    yyhWAQCScfP28Py0QbHuqzzOFyjAMwdK0LfwiGfYrfzfv0evlAD9Hd+x8NgvPq2p
    nnnG5tQaHeIS/v8PMP0suy3QiWV8WQc=
    =Ru+m
    -----END PGP SIGNATURE-----

If a create another commit later with "Fix typo." as content, then the
date will be different and the signature won’t be the same.

What do you think?

Dimitri

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: Author signature

[Konstantin Ryabitsev]

On Tue, Jun 04, 2024 at 02:50:49PM GMT, Dimitri Sabadie wrote:
> On the other side, I just had another idea. What would be best to me
> is to actually provide a _proof_ that at least the author acknowledges
> the patch — whether he wrote it or not is another story and I don’t
> think we can enforce that completely. The goal I want to achieve is that
> if I send a patch via email, if the patch ends up committed by someone
> else, I still want to be able to have a proof that “I wrote the patch.”

On the kernel side of things, we're using patatt for this purpose:
https://github.com/mricon/patatt

> So assuming the committer is not of bad faith and doesn’t truncate my
> git commit message… why not simply adding a “sign-off” like line at the
> end of the commit, but instead of just putting a clear text that anyone
> could tamper with, we would sign the date at which the commit was made?
> 
> For instance, I could have a git message like:
> 
>     Fix typo. 
> 
>   	-----BEGIN PGP SIGNED MESSAGE-----
>     Hash: SHA512
> 
>     Tue Jun  4 02:49:26 PM CEST 2024
>     -----BEGIN PGP SIGNATURE-----
> 
>     iHUEARYKAB0WIQRsmRqgbXp8KFc3mc6pQ4aopiUuywUCZl8NVgAKCRCpQ4aopiUu
>     yyhWAQCScfP28Py0QbHuqzzOFyjAMwdK0LfwiGfYrfzfv0evlAD9Hd+x8NgvPq2p
>     nnnG5tQaHeIS/v8PMP0suy3QiWV8WQc=
>     =Ru+m
>     -----END PGP SIGNATURE-----
> 
> If a create another commit later with "Fix typo." as content, then the
> date will be different and the signature won’t be the same.
> 
> What do you think?

No, this is not a good solution, if only because the date of the commit can be
freely edited to match whatever is in the signature, and then it can be reused
for any commit at all.

-K