dulwich icon indicating copy to clipboard operation
dulwich copied to clipboard
verified publisher icon jelmer

check_signature + SignatureCriterion interface

Open castedo opened this issue 1 year ago • 5 comments

  • check_signature method for Commit/Tag as alternative to verify
  • SignatureCriterion interface to decouple crypto from git serialization
  • single simple InvalidSignature exception generic to whatever criterion
  • DRY re-impl for Commit/Tag verify using GpgSignatureCriterion

castedo avatar Nov 22 '24 14:11 castedo

@jelmer Here is a potential start to a very new direction that can have lots of variations. Take your time to consider. I'm not in a rush to merge this.

This, or something similar to it, I wager will resolve future headaches and confusion and give dev-users flexibility to make a variety of trade-offs depending on what kind of signature criterion and implementation makes sense for their particular application.

Although verify_time is not used by git+gpg verification (I think) it is a full ssh-keygen feature and cgit passes a verify time to ssh-keygen.

This PR is attached to the "pr/decouple_sig_check" branch which I will squash and rebase. If you want to fork and modify off the code in this PR, do it from the "decouple_sig_check" feature branch which I will not squash and rebase and will maintain full git history for short-term feature tracking and merging.

I am using castedo/git-prepr.

castedo avatar Nov 22 '24 14:11 castedo

This direction probably enables a fairly easy and low-risk resolution to #1369. The solution can be "implement your own subclass of SignatureCriterion, similar to GpgSignatureCriterion, but using python-gnupg", and call check_signature instead of verify.

castedo avatar Nov 22 '24 14:11 castedo

@jelmer And feel free to ask questions and suggest alternatives. In this branch I'm adopting and not adopting some Python approaches that are pretty new to me. Like is abc.ABC worth using? Single simple Exceptions rather than a plethora of fine-grained exceptions? I dunno. I've been tending towards whatever is simpler and more minimal.

castedo avatar Nov 22 '24 14:11 castedo

FYI, I am going to port the example code in #1448 to a SignatureCriterion subclass that I'll save in dulwich/dulwich/contrib on this branch (or a separate feature branch if you prefer).

castedo avatar Nov 22 '24 16:11 castedo

And then here's an example of two pure-python criteria using sshsiglib:

https://gitlab.com/perm.pub/sshsiglib/-/blob/a0d551ecd5469ba3ec9c97b261ac8c2c6a152565/contrib/sshsig_criterion.py

One criterion, SshsigCheckCriterion, does not use any allowed signers file at all. The other criterion, SshsigVerifyCriterion, uses the Hidos DSGL just-a-list-for-git sub-format (#1449).

castedo avatar Nov 22 '24 21:11 castedo