how to verify gpg-signed commits

Tue May 9 06:49:56 BST 2006

On 7/5/06, John Arbash Meinel <john at arbash-meinel.com> wrote:
> I have a plugin available from here:
> http://bzr.arbash-meinel.com/plugins/bzr/signing/
>
> It provides the command 'bzr verify-sigs', which will run 'gpg --verify'
> for every signature found.
>
> The reason it isn't in bzr core, is that we really wanted to do the
> verification properly, using something like 'libgpgme'. This was just my
> quick hack to allow some integrity checking.

If you want to use gpgme, you might want to try my pygpgme wrapper:

    http://cheeseshop.python.org/pypi/pygpgme

It should make it easy to properly verify signatures, get information
about signing keys (e.g. what uids are attached to the key), tell you
whether the user trusts the signature or not, etc.

When using it to verify clearsigned content, it will also give you the
plaintext that was signed which should be useful for verifying that
the signed content matches the testament.

> In the future, I think we might also want to try and match the gpg
> signing key username with the revision committer username. (Though we
> have discussed letting someone sign someone else's commit as sort of a
> 'vote of confidence')

You need to be careful about handling multiple signatures with gpgme
and clearsigned blocks.  If your code is not written correctly, you
can end up opening yourself to append attacks.

Consider the following example:

This will also verify and give you the same plaintext and two
signatures, but each signature only covers part of the content.

Furthermore, if the signature verification code only checks the first
signature and I can get you to sign the text "bazaar-ng testament
short form 1", then I can sign the remainder of any testament and have
it appear as though you signed that revision.

At the moment, the only solution I know of is to reject multiple
signatures, or manually check that there are no appended clearsigned
blocks.

James.