[tbb-dev] A proposal for signing commits with gpg
Nicolas Vigier
boklm at mars-attacks.org
Tue Apr 28 14:42:47 UTC 2020
Hi,
Attached is a proposal for signing commits with gpg.
I also added it to this branch (using number 104, although this number
can still change before merging):
https://gitweb.torproject.org/user/boklm/tor-browser-spec.git/commit/?h=bug_34046&id=66abcf2003c5131b24ea17d4eb164a42bff9c193
Nicolas
-------------- next part --------------
Filename: xxx-signing-commits-with-gpg.txt
Title: Signing commits with GPG
Author: Nicolas Vigier
Created: 28-Apr-2020
Status: Open
Ticket: #34046
1. Motivation
While building stable or alpha Tor Browser releases, we verify all
inputs using one of the following methods:
- verifying the checksum of downloaded files
- verifying the gpg signature of downloaded files
- verifying the gpg signature on git tags
- using a know git commit hash
In nightly builds however, we need to use the master branch of some
components, without checking that the commit is signed. An attacker
who manages to take control of our git repository could potentially
compromise our build machines in this way. In order to remove this
possibility, we should sign and verify commits on all master branches
used in the nightly builds.
2. Proposal
2.1 Signing commits
Signing commits with gpg can be done using the -S options in most
git's commands (commit, merge, cherry-pick, rebase, etc ...).
Alternatively, the commit.gpgSign git's config option can be set to
true, to sign all commits.
If a proposed commit is not signed by a known key, the maintainer of
the component should merge the commit using git merge's option --no-ff
in order to force the creation of a signed merge commit even in the
cases where a merge commit would not be needed. Alternatively the
git cherry-pick command can be used to rewrite and sign the commit.
2.2 Git repositories which should have signed commits
The master of commit tor-browser-build.git should be signed by one of
the members of the Tor Browser team. Additionally, all components
included in Tor Browser, where the master branch is used in our
nightly build, should have their master commit signed by one of the
maintainer of those repositories.
The current list of repositories where we use the master branch in
nightly builds is:
https://git.torproject.org/pluggable-transports/goptlib.git
https://git.torproject.org/pluggable-transports/obfs4.git
https://git.torproject.org/tor-launcher.git
https://git.torproject.org/tor-browser.git
https://git.torproject.org/tor.git
2.3 Verifying signature on components included in Tor Browser
In tor-browser-build, we should include in keyring/$project.gpg
(where project is the name of the component) the keys of all
developers of the component who are expected to sign their commits,
or the keys of all maintainers of the component who are expected to
merge all commits.
In rbm's configuration for each components where the master branch
is used for the nightly build, we set commit_gpg_id to 1 to enable
verification of the commit's signature.
2.4 Verifying signature on tor-browser-build
In keyring/torbrowser-team.gpg in tor-browser-build, we add the gpg
keys of the main developers.
We also include the following helper scripts:
- tools/git-pull: fetch a remote repository, but verify the signature
of the top commit before merging it in the current branch.
- tools/git-checkout: verify the signature of a commit before
switching to it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20200428/e95cb63f/attachment.sig>
More information about the tbb-dev
mailing list