Skip to content

Enforce signing of shell-etc #21

Description

@KellerFuchs

Currently, Github is ultimately trusted, since we pull configuration from it, build containers based on repo's contents, ... As a first step away from this (not from using Github, but from trusting it), I suggest we use OpenPGP signatures to protect the authenticity of the git tree.

This is (mostly) straightforward:

  • Create a GnuPG homedir in /etc/gpg/, used only for signature checking.
    This allows us to keep the keyring and the GnuPG config (in particular, trust-model direct) in shell-etc.
  • Agree to only merge PRs in shell-etc using signed merge commits, as can be created with git merge --no-ff -S.
    When switching to this practice, create an empty, signed commit at the head of shell-etc (if needed).
  • Replace etckeeper vcs pull --ff-only in sync.yml with etckeeper vcs pull --ff-only --verify-signatures, with the GNUPG_HOME environment variable set to /etc/gpg/.

There are 2 main issues:

  • It doesn't currently seem possible, on Github, to enforce that only signed commits get pushed.
    I've been in touch with Github's support regarding that.
  • How do we deal cleanly with commits created by apt(8)?

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions