How to specify trusted keys with git

en tech security crypto git Comments

You use git to store everything? Great, so do I! And of course you sign your commits - so when you upload your configuration files and scripts somewhere, they will never be tampered with, right? Unfortunately, git pull --verify-signatures is not enough. Have a look at what --verify-signatures does:

--verify-signatures, --no-verify-signatures

Verify that the tip commit of the side branch being merged is signed with a valid key, i.e. a key that has a valid uid: in the default trust model, this means the signing key has been signed by a trusted key. If the tip commit of the side branch is not signed with a valid key, the merge is aborted.

This will verify that someone has signed the last commit (depending on your trust-model it also checks that the key actually belongs the person it claims to represent). However, if you also use gpg outside of git, you don't want to change your trust model or adjust the trust values for keys just to make the git use case work.

A simple workaround is to use a custom keyring that contains only the keys you trust to sign git commits:

# Create new keyring with only a subset of keys
gpg --export SOME-KEY SOME-OTHER-KEY | gpg --no-default-keyring --keyring=git.gpg --import -
# Create a wrapper script which git can use instead of gpg (assumes ~/.local/bin is in your path)
echo '#!/bin/sh
exec gpg --no-default-keyring --keyring=git.gpg "$@"'> ~/.local/bin/gitgpg
chmod +x ~/.local/bin/gitgpg

To use this everywhere, you can run

git config --global gpg.program gitgpg

However, this will result in git being unable to verify any signature that is not in your special keyring. This is likely not what you want. Instead, I enable this feature only when needed, like this:

git alias verified "-c gpg.program=gitgpg pull --verify-signatures"

That way, I can make sure I only get code that I trust using git verified instead of git pull while still getting meaningful output from git log --show-signatures. Note that gpg will still check trust as usual, but it will only know the keys you imported into your special keying(s).

Little sidenote: When you set up keyrings like that, you can also use them with gpgv to do general-purpose signature verification:

gpgv --keyring git.gpg update.tar.gpg || echo 'These are not the updates you are looking for...'

Previous Post