From 7c7477f20c9e5bac4f90cef2a111b496fc5afb31 Mon Sep 17 00:00:00 2001 From: Konstantin Ryabitsev Date: Thu, 18 Jan 2018 16:32:31 -0500 Subject: [PATCH] What is git PGP integration trying to solve? Per question in #28, explain why git and pgp integration are useful. Signed-off-by: Konstantin Ryabitsev --- protecting-code-integrity.md | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/protecting-code-integrity.md b/protecting-code-integrity.md index 2e82aeb..fe18a94 100644 --- a/protecting-code-integrity.md +++ b/protecting-code-integrity.md @@ -1,6 +1,6 @@ # Protecting code integrity with PGP -Updated: 2017-12-14 +Updated: 2018-01-18 *Status: CURRENT, BETA* @@ -198,7 +198,8 @@ In this guide, we will be using the TOFU trust model. First, it is important to understand the distinction between PGP, OpenPGP, GnuPG and gpg: -- **PGP** ("Pretty Good Privacy") is the name of the original commercial software +- **PGP** ("Pretty Good Privacy") is the name of the original commercial + software - **OpenPGP** is the IETF standard compatible with the original PGP tool - **GnuPG** ("Gnu Privacy Guard") is free software that implements the OpenPGP standard @@ -954,6 +955,25 @@ Once you are done, remember to send the updated key back to keyservers: ## Using PGP with Git +One of the core features of Git is its decentralized nature -- once a +repository is cloned to your system, you have full history of the project, +including all of its tags, commits and branches. However, with hundreds of +cloned repositories floating around, how does anyone verify that the +repository you downloaded has not been tampered with by a malicious third +party? You may have cloned it from GitHub or some other official-looking +location, but what someone managed to trick you? + +Or what happens if a backdoor is discovered in one of the projects you've +worked on, and the "Author" line in the commit says it was done by you, while +you're pretty sure you had [nothing to do with +it](https://github.com/jayphelps/git-blame-someone-else)? + +To address both of these issues, Git introduced PGP integration -- signed tags +prove the repository integrity by assuring that its contents are exactly the +same as on the workstation of the developer who created the tag, and signed +commits make it nearly impossible for someone to impersonate you without +having access to your PGP keys. + ### Checklist - [ ] Understand signed tags, commits, and pushes _(ESSENTIAL)_