What is git PGP integration trying to solve?

Per question in #28, explain why git and pgp integration are useful.

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
This commit is contained in:
Konstantin Ryabitsev 2018-01-18 16:32:31 -05:00
parent 126e4f0b5d
commit 7c7477f20c
No known key found for this signature in database
GPG Key ID: 34BAB80AF9F247B8
1 changed files with 22 additions and 2 deletions

View File

@ -1,6 +1,6 @@
# Protecting code integrity with PGP
Updated: 2017-12-14
Updated: 2018-01-18
*Status: CURRENT, BETA*
@ -198,7 +198,8 @@ In this guide, we will be using the TOFU trust model.
First, it is important to understand the distinction between PGP, OpenPGP,
GnuPG and gpg:
- **PGP** ("Pretty Good Privacy") is the name of the original commercial software
- **PGP** ("Pretty Good Privacy") is the name of the original commercial
software
- **OpenPGP** is the IETF standard compatible with the original PGP tool
- **GnuPG** ("Gnu Privacy Guard") is free software that implements the OpenPGP
standard
@ -954,6 +955,25 @@ Once you are done, remember to send the updated key back to keyservers:
## Using PGP with Git
One of the core features of Git is its decentralized nature -- once a
repository is cloned to your system, you have full history of the project,
including all of its tags, commits and branches. However, with hundreds of
cloned repositories floating around, how does anyone verify that the
repository you downloaded has not been tampered with by a malicious third
party? You may have cloned it from GitHub or some other official-looking
location, but what someone managed to trick you?
Or what happens if a backdoor is discovered in one of the projects you've
worked on, and the "Author" line in the commit says it was done by you, while
you're pretty sure you had [nothing to do with
it](https://github.com/jayphelps/git-blame-someone-else)?
To address both of these issues, Git introduced PGP integration -- signed tags
prove the repository integrity by assuring that its contents are exactly the
same as on the workstation of the developer who created the tag, and signed
commits make it nearly impossible for someone to impersonate you without
having access to your PGP keys.
### Checklist
- [ ] Understand signed tags, commits, and pushes _(ESSENTIAL)_