Support GPG signature verification

[ddiss]

git commits and tags can be be GPG signed using the -S and -s parameters respectively. Verification can be performed using git verify-commit/verify-tag.

tar_scm should provide the ability to verify commit/tag GPG signatures against a public key stored in the project repository.

[aspiers]

Thanks, that sounds like an excellent idea!

[ddiss]

Thanks for the feedback.
I have a rough WIP set of changes in my repo at https://github.com/ddiss/obs-service-tar_scm/tree/wip_gpg_signature_check . Hoping to have them cleaned up, fully tested and submitted in the next day or so.

[aspiers]

@ddiss That's awesome! Please don't hate me too much, but unfortunately you'll have to rebase and fix some merge conflicts due to a reorganisation of the code which just landed in master (see #125 and #128) and is still ongoing - I'm still working on merging the remainder of commits from #123. However IIUC the main restructuring (introducing separate classes for each SCM and then splitting them out into separate files) is already in master.

[ddiss]

Thanks! Yeah, I saw the new refactoring, and have rebased + pushed to the same branch.
It's still work-in-progress, but is starting to take shape.

[aspiers]

Great. Sorry I lied, the splitting into separate files is not there yet but will be soon.

[ddiss]

Okay, is there a branch with all of the pending changes, that I can as a staging area?

[aspiers]

Sorry, somehow I missed this question (for some reason GitHub wasn't sending me email for a whole bunch of notifications before). But in any case the codebase is now stable again so it would be great if this work was rebased against latest master.

[ddiss]

Yeah, sorry about the wait here. I've been pretty busy with other things, but I'll hopefully get back to it soon.

[cryptomilk]

I hope so too :-)

[bmwiedemann]

How will trusted PGP keys be specified?
Other parts of OBS use a file like zsh/zsh.keyring
Can we use the same file here or will OBS then expect a signed tarball?
or maybe we add files like
foo-commit
foo-commit.asc
foo.keyring
and leave the verification to the existing code?

[ddiss]

How will trusted PGP keys be specified?

it's currently implemented as an extra verify-revision-key tar_scm parameter

Other parts of OBS use a file like zsh/zsh.keyring
Can we use the same file here or will OBS then expect a signed tarball?

I guess adding the git tag verification key to the tarball keyring would be an option, but I'd like to hear from others whether that's desired.

or maybe we add files like
foo-commit
foo-commit.asc
foo.keyring
and leave the verification to the existing code?

That'd also be an option. Again, I'm open to input, I'd like to find some consensus on what would be the most suitable interface.