git - 如何自动验证所有提交者 PGP 签名他们的提交

Question

Github supports使用 PGP key 签署提交。

我们有一个开源项目，接受没有 PGP key 的人的贡献。安全对我们来说至关重要，因此我们决定每个 merge pull 请求的人都将使用他的 PGP key 签署 merge ，因此每个实际提交将由作者直接签署，和/或通过 merge 。

设置持续集成构建以确保这确实发生的最佳方法是什么？如果有人在没有使用给定授权 key 列表中的 PGP key 对其进行签名的情况下将代码提交或 merge 到主存储库中，我们希望构建失败，警报响起，并且可能恢复提交/merge 。

我们正在使用 github，所以我想知道 github hooks 是否有帮助。我相信我们将 Jenkins 用于 CI，但这可能无关紧要，因为它将成为一个自定义脚本。

澄清一下:该项目接受开源开发人员的贡献，我们不要求他们中的每一个都拥有 PGP key 。然而，在 github 中每个拥有 merge 权限的人必须有一个 PGP key ，我建议的构建将验证这一点。 merge 提交本身将被 PGP 签名，即使不是每个提交都是。

Answer 1

更新(2021 年 4 月):

参见“Flag unsigned commits with vigilant mode”:

To improve security and confidence in the authenticity of your contributions, you can flag commits and tags on GitHub.com that are attributed to you but not signed by you.

With vigilant mode enabled (now available in beta), unsigned commits attributed to you are flagged with an Unverified badge.
This can alert you and others to potential issues with authenticity.

The author and committer of a Git commit can easily be spoofed.
For example, someone can push a commit that claims to be from you, but isn’t. >Like showing a passport, committers can increase trust in their commits by signing them with a GPG or S/MIME key.

And now, when you enable vigilant mode, commits will be flagged if they’re attributed to you but not signed by you.
This raises attention if someone tries to spoof your identity as a committer or author. With vigilant mode enabled, all of your commits and tags are marked with one of three verification statuses: Verified, Partially verified, or Unverified.

Try it yourself!
First, check out how to automatically sign your commits.
Then, enable vigilant mode in your account settings:

Be sure to enable vigilant mode after you start signing your commits and tags.
Once you enable it, any unsigned commits or tags that you push to GitHub.com will be marked "Unverified," including past commits.

Learn more about vigilant mode.

---

更新(2016 年 4 月)

参见“GitHub GPG signature verification”:

starting today GitHub will show you when commits and tags are signed.

When you view a signed commit or tag, you will see a badge indicating if the signature could be verified using any of the contributor's GPG keys uploaded to GitHub.
You can upload your GPG keys by visiting the keys settings page.

---

原始答案(2014 年 6 月)

根据您的编辑，您选择了论文“A Git Horror Story: Repository Integrity With Signed Commits”中的选项 2:

Option #2 is as simple as passing the -S argument to git merge.
If the merge is a fast-forward (that is, all commits can simply be applied atop of HEAD without any need for merging), then you would need to use the --no-ff option to force a merge commit.

然后制作a signed request-pull (如果 commit.gpgsign is set 可以始终签名)可以将签名部分限制为将 merge 为贡献提交的提交(而不是两个分支之间的任何随机 merge )。

有关该过程的更多详细信息:

• "How to use a signed tag in pull requests "
• ""Pulling signed tag" is already in use in the field "
• "Using a GPG Key to Sign-Off Git Commits and Emails "(对于 gpg 部分)

因此，如果您的持续集成构建仅 merge 请求 pull (在 this test script 中使用)，您可以检查这些特定提交是否已签名(如果未签名则不要 merge 它们)。
此脚本是此类检查的示例:“check-commit-signature ”。