What is git PGP integration trying to solve?
Per question in #28, explain why git and pgp integration are useful. Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
This commit is contained in:
parent
126e4f0b5d
commit
7c7477f20c
|
@ -1,6 +1,6 @@
|
|||
# Protecting code integrity with PGP
|
||||
|
||||
Updated: 2017-12-14
|
||||
Updated: 2018-01-18
|
||||
|
||||
*Status: CURRENT, BETA*
|
||||
|
||||
|
@ -198,7 +198,8 @@ In this guide, we will be using the TOFU trust model.
|
|||
First, it is important to understand the distinction between PGP, OpenPGP,
|
||||
GnuPG and gpg:
|
||||
|
||||
- **PGP** ("Pretty Good Privacy") is the name of the original commercial software
|
||||
- **PGP** ("Pretty Good Privacy") is the name of the original commercial
|
||||
software
|
||||
- **OpenPGP** is the IETF standard compatible with the original PGP tool
|
||||
- **GnuPG** ("Gnu Privacy Guard") is free software that implements the OpenPGP
|
||||
standard
|
||||
|
@ -954,6 +955,25 @@ Once you are done, remember to send the updated key back to keyservers:
|
|||
|
||||
## Using PGP with Git
|
||||
|
||||
One of the core features of Git is its decentralized nature -- once a
|
||||
repository is cloned to your system, you have full history of the project,
|
||||
including all of its tags, commits and branches. However, with hundreds of
|
||||
cloned repositories floating around, how does anyone verify that the
|
||||
repository you downloaded has not been tampered with by a malicious third
|
||||
party? You may have cloned it from GitHub or some other official-looking
|
||||
location, but what someone managed to trick you?
|
||||
|
||||
Or what happens if a backdoor is discovered in one of the projects you've
|
||||
worked on, and the "Author" line in the commit says it was done by you, while
|
||||
you're pretty sure you had [nothing to do with
|
||||
it](https://github.com/jayphelps/git-blame-someone-else)?
|
||||
|
||||
To address both of these issues, Git introduced PGP integration -- signed tags
|
||||
prove the repository integrity by assuring that its contents are exactly the
|
||||
same as on the workstation of the developer who created the tag, and signed
|
||||
commits make it nearly impossible for someone to impersonate you without
|
||||
having access to your PGP keys.
|
||||
|
||||
### Checklist
|
||||
|
||||
- [ ] Understand signed tags, commits, and pushes _(ESSENTIAL)_
|
||||
|
|
Loading…
Reference in New Issue