Committer authentication in git-send-pack/git-receive-pack

Committer authentication in git-send-pack/git-receive-pack

[James Sadler]

A while ago, there was some discussion about authenticating commits
using gnupg signatures.
(see http://kerneltrap.org/mailarchive/git/2008/1/29/634209).

I have searched through all of the branches in the main git repo and I
can't see any commits relating to this functionality, so I was
wondering if the work had stalled or perhaps not even been started.
If that's the case, I'm willing to give it a shot and would welcome
some discussion on how to get started.

The posts in the aforementioned thread expand upon the concept beyond
mere authentication and into full audit trail territory.  It sounds
like a significant chunk of work.

However, the first logical step (at least to me!) would be to extend
git-send-pack and git-receive-pack to sign and verify communications.

git-send-pack could be extended with a '--sign' argument.  This should
produce a signature generated by passing the 'command' part of the
git-send-pack output through to gpg.  The rest of the pack need not be
signed, as the SHA-1s in the command section already are
cryptographically associated with the pack itself.

At the  other end, git-receive-pack would need to be invoked in such a
way that it knows only to accept signed communications, and where to
find a list of public keys that will be used to authenticate the data.
It will check that the committer's key is known and that the signature
matches the command section generated by send-pack.  If the
communication is not signed, or committer is unknown or it fails
verification for any reason, git-receive-pack should die with an
appropriate message.

>From this starting point, other features (discussed in aforementioned
thread) could eventually be added.

Thoughts/advice/opinions/critique welcome.
-- 
James