check_signature + SignatureCriterion interface #1452
Conversation
castedo
commented
Nov 22, 2024
castedo
commented
- check_signature method for Commit/Tag as alternative to verify
- SignatureCriterion interface to decouple crypto from git serialization
- single simple InvalidSignature exception generic to whatever criterion
- DRY re-impl for Commit/Tag verify using GpgSignatureCriterion
|
@jelmer Here is a potential start to a very new direction that can have lots of variations. Take your time to consider. I'm not in a rush to merge this. This, or something similar to it, I wager will resolve future headaches and confusion and give dev-users flexibility to make a variety of trade-offs depending on what kind of signature criterion and implementation makes sense for their particular application. Although verify_time is not used by git+gpg verification (I think) it is a full ssh-keygen feature and cgit passes a verify time to ssh-keygen. This PR is attached to the "pr/decouple_sig_check" branch which I will squash and rebase. If you want to fork and modify off the code in this PR, do it from the "decouple_sig_check" feature branch which I will not squash and rebase and will maintain full git history for short-term feature tracking and merging. I am using castedo/git-prepr. |
|
This direction probably enables a fairly easy and low-risk resolution to #1369. The solution can be "implement your own subclass of |
|
@jelmer And feel free to ask questions and suggest alternatives. In this branch I'm adopting and not adopting some Python approaches that are pretty new to me. Like is abc.ABC worth using? Single simple Exceptions rather than a plethora of fine-grained exceptions? I dunno. I've been tending towards whatever is simpler and more minimal. |
|
FYI, I am going to port the example code in #1448 to a SignatureCriterion subclass that I'll save in |
castedo
force-pushed
the
pr/decouple_sig_check
branch
3 times, most recently
from
88b0047
to
6676615
Compare
* check_signature method for Commit/Tag as alternative to verify * SignatureCriterion interface to decouple crypto from git serialization * single simple InvalidSignature exception generic to whatever criterion * DRY re-impl for Commit/Tag verify using GpgSignatureCriterion * ssh-keygen based SignatureCriterion classes in contrib
castedo
force-pushed
the
pr/decouple_sig_check
branch
from
6676615
to
9236005
Compare
|
And then here's an example of two pure-python criteria using sshsiglib: One criterion, |
| # <http://www.gnu.org/licenses/> for a copy of the GNU General Public License | ||
| # and <http://www.apache.org/licenses/LICENSE-2.0> for a copy of the Apache | ||
| # License, Version 2.0. | ||
| # fmt: off |
| @@ -1531,6 +1534,10 @@ def raw_without_sig(self) -> bytes: | |||
| tmp.gpgsig = None | |||
| return tmp.as_raw_string() | |||
|
|
|||
| def check_signature(self, criterion: SignatureCriterion) -> None: | |||
| if self.gpgsig: | |||
There was a problem hiding this comment.
This seems like a bit of an odd interface; the commit stores whether the signature is PGP or SSH, so why does the caller need to care?
