Comment by CarpaDorada

1 year ago

The issue is mostly with git itself, e.g. take a look at

  git cat-file commit HEAD

to see something like:

  tree <tree-hash>
  parent <parent-hash>
  author <author-name> <author-email> <timestamp>
  committer <committer-name> <committer-email> <timestamp>
  gpgsig -----BEGIN PGP SIGNATURE-----
   
   <ascii-armored RFC9580 signature>
   -----END PGP SIGNATURE-----

  <commit message>

You can view an example of the structure of this ascii-armored signature here <https://cirw.in/gpg-decoder/#-----BEGIN%20PGP%20SIGNATURE---...>.

You can add a patch to git to support more signature types than just OpenPGP. You may then be able to move mountains and get GitHub/others to join in the validation. Finally, if you can find bugs/exploits in GnuPG, you should report them and you will definitely get credit and recognition for them. They are not trivial to find.

2 comments

CarpaDorada

fmajid 1 year ago

Git has supported SSH-based signatures for a while now, including those backed by FIDO hardware keys.

CarpaDorada 1 year ago

FIDO would be for authentication, not signing. It also supports SSH (and X.509, see <https://git-scm.com/docs/gitformat-signature>) but it does not support minisign or signify. There's a git module for signify, <https://leahneukirchen.org/dotfiles/bin/git-signify> but don't count on it being widely supported.