Currently, Github is ultimately trusted, since we pull configuration from it, build containers based on repo's contents, ... As a first step away from this (not from using Github, but from trusting it), I suggest we use OpenPGP signatures to protect the authenticity of the git tree.
This is (mostly) straightforward:
There are 2 main issues:
- It doesn't currently seem possible, on Github, to enforce that only signed commits get pushed.
I've been in touch with Github's support regarding that.
How do we deal cleanly with commits created by apt(8)?
Currently, Github is ultimately trusted, since we pull configuration from it, build containers based on repo's contents, ... As a first step away from this (not from using Github, but from trusting it), I suggest we use OpenPGP signatures to protect the authenticity of the git tree.
This is (mostly) straightforward:
/etc/gpg/, used only for signature checking.This allows us to keep the keyring and the GnuPG config (in particular,
trust-model direct) inshell-etc.shell-etcusing signed merge commits, as can be created withgit merge --no-ff -S.When switching to this practice, create an empty, signed commit at the head of
shell-etc(if needed).etckeeper vcs pull --ff-onlyinsync.ymlwithetckeeper vcs pull --ff-only --verify-signatures, with theGNUPG_HOMEenvironment variable set to/etc/gpg/.There are 2 main issues:
I've been in touch with Github's support regarding that.
How do we deal cleanly with commits created byapt(8)?