logo

blog

My website can't be that messy, right? git clone https://anongit.hacktivis.me/git/blog.git/
commit: 83d61d3257c391de0097c8fe75262ac0c240ae56
parent abcd5de85c25312dbe38ecdef34b635ee5685c25
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Fri,  2 May 2025 06:43:26 +0000

articles/forgeless-ssh-signed-commit: new


Diffstat:


Aarticles/forgeless-ssh-signed-commit.xml42++++++++++++++++++++++++++++++++++++++++++


Mconfig.ninja1+


Mfeed.atom.in1+


Mhome.shtml1+


4 files changed, 45 insertions(+), 0 deletions(-)

diff --git a/articles/forgeless-ssh-signed-commit.xml b/articles/forgeless-ssh-signed-commit.xml
@@ -0,0 +1,42 @@
+<entry>
+<title>Forge-less SSH-signed git commits</title>
+<link rel="alternate" type="text/html" href="https://hacktivis.me/articles/forgeless-ssh-signed-commit"/>
+<id>https://hacktivis.me/articles/forgeless-ssh-signed-commit</id>
+<published>2025-05-02T06:43:26Z</published>
+<updated>2025-05-02T06:43:26Z</updated>
+<!--
+<link rel="external replies" type="application/activity+json" href="https://queer.hacktivis.me/objects/50be9d37-dee6-4c69-818e-013fa3b010d0" />
+<link rel="external replies" type="text/html" href="https://queer.hacktivis.me/objects/50be9d37-dee6-4c69-818e-013fa3b010d0" />
+-->
+<content type="xhtml">
+<div xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="h-entry">
+
+<p>
+	One key difference I found useful when git added support for ssh-signature is the fact that you now can just drop an <code>authorized_keys</code> file in the repository, and configure it as a source of public keys.<br />
+	No more horribly unreliable OpenPGP keyservers where getting trust is rather questionable (<a href="https://hacktivis.me/articles/real%20names">ID Cards are for citizenship and border-control</a>), and no more "Verified" badge in forges that you can't check yourself.
+</p>
+
+<p>
+	For this you want a file in the repository containing the git email followed by the ssh-public key, and set it as a trusted source via <code>gpg.ssh.allowedSignersFile</code>, like so with naming it <code>authorized_keys.git</code>:
+<code><pre>
+# How to setup: git config gpg.ssh.allowedSignersFile authorized_keys.git
+contact@hacktivis.me ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKAxeQh6KJGg89yivTtmUtjxp80inHBrL5sMdt+Kg1ed haelwenn@NightmareMoon
+contact@hacktivis.me ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC6LRxSNagh9NlEYLUqA8o/4HiUStEymeyvjFtNZeEIe haelwenn@cloudchaser
+</pre></code>
+	<br />
+	As can be seen in <a href="https://hacktivis.me/git/utils-std/file/authorized_keys.git.html">utils-std's <code>authorized_keys.git</code></a>.
+</p>
+
+<p>
+	This way everyone with a copy of the git repository can verify the commit signatures on their own, entirely offline.
+	And there is also a much clearer link between the keys and repository identity.
+</p>
+
+<p>
+	One thing I haven't done but would be interesting is verifying said signatures via git-hooks when new commits are pulled, meaning that keys needs to be added by someone already authorized.<br />
+	<a href="https://guix.gnu.org/en/blog/2024/authenticate-your-git-checkouts/">Guix has done something like this</a>, but sadly it's lispy and built into the guix ecosystem.
+</p>
+
+</div>
+</content>
+</entry>
diff --git a/config.ninja b/config.ninja
@@ -21,6 +21,7 @@ build articles/cve.org-disaster.html: article entry.xsl articles/cve.org-disaste
 build articles/drm-definition.html: article entry.xsl articles/drm-definition.xml
 build articles/firefox-begone.html: article entry.xsl articles/firefox-begone.xml
 build articles/firmware-broken-terminology.html: article entry.xsl articles/firmware-broken-terminology.xml
+build articles/forgeless-ssh-signed-commit.html: article entry.xsl articles/forgeless-ssh-signed-commit.xml
 build articles/google-web-environment-integrity-illegal.html: article entry.xsl articles/google-web-environment-integrity-illegal.xml
 build articles/libre-software-security-disclosure.html: article entry.xsl articles/libre-software-security-disclosure.xml
 build articles/mozilla-foundation-has-no-members.html: article entry.xsl articles/mozilla-foundation-has-no-members.xml
diff --git a/feed.atom.in b/feed.atom.in
@@ -11,6 +11,7 @@
 
 	<updated>2025-04-07T01:37:22Z</updated>
 	<!-- new.sh: new articles here -->
+<xi:include href="articles/forgeless-ssh-signed-commit.xml"/>
 <xi:include href="articles/choosing-dependencies.xml"/>
 <xi:include href="articles/mozilla-foundation-has-no-members.xml"/>
 <xi:include href="articles/bootstrap-initrd.xml"/>
diff --git a/home.shtml b/home.shtml
@@ -13,6 +13,7 @@
 		<p>List of articles, newest first:</p>
 		<ol class="indexlist">
 			<!-- new.sh: new articles here -->
+			<li>2025-05-02: <a href="/articles/forgeless-ssh-signed-commit">Forge-less SSH-signed git commits</a></li>
 			<li>2024-12-14: <a href="/articles/choosing-dependencies">How I choose dependencies</a></li>
 			<li>2024-06-25: <a href="/articles/mozilla-foundation-has-no-members">Mozilla Foundation has no members</a></li>
 			<li>2024-06-23: <a href="/articles/bootstrap-initrd">bootstrap-initrd: A self-building environment based on tcc+musl</a></li>