diff options
| author | Konstantin Ryabitsev <konstantin@linuxfoundation.org> | 2021-05-11 14:56:05 -0400 |
|---|---|---|
| committer | Konstantin Ryabitsev <konstantin@linuxfoundation.org> | 2021-05-11 14:56:05 -0400 |
| commit | f1a2700e70018349d5c63f2053ba4b0e7ebe351a (patch) | |
| tree | d3bea7c91ff7d679cbe9d4614b02f40e09cac94c /README.rst | |
| parent | 31348a14afdb1d39e7faf9576eaddea1ced76e19 (diff) | |
| download | b4-f1a2700e70018349d5c63f2053ba4b0e7ebe351a.tar.gz | |
Reimplement attestation code one more time
Move end-to-end attestation code into its own library: patatt. See
https://git.kernel.org/pub/scm/utils/patatt/patatt.git/about/
It is included into b4 as a submodule, but you will need to init it
first:
git submodule update --init
This change significantly simplifies our attestation code, dropping
thousands of lines of rather hairy code. Notably, patatt-style
attestation is incompatible with previous attestation implementations
done directly in b4, but that's just as well -- we've always marked it
as "experimental" and the lack of adoption was proving that we weren't
on the right path.
Next to come is keyring management and documentation.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Diffstat (limited to 'README.rst')
| -rw-r--r-- | README.rst | 93 |
1 files changed, 16 insertions, 77 deletions
@@ -34,52 +34,21 @@ Setting up a symlink should also be possible. Patch attestation (EXPERIMENTAL) -------------------------------- -Starting with version 0.6, b4 implements in-header patch attestation, -following the approach proposed here: - -https://git.kernel.org/pub/scm/linux/kernel/git/mricon/patch-attestation-poc.git/tree/README.rst - -At this time, only PGP mode is implemented, but further work is expected -in future versions of b4. - -Attesting your own patches -~~~~~~~~~~~~~~~~~~~~~~~~~~ -Patch attestation is done via message headers and stays out of the way -of usual code submission and review workflow. At this time, only -maintainers using b4 to retrieve patches and patch series will benefit -from patch attestation, but everyone is encouraged to submit -cryptographic patch attestation with their work anyway, in hopes that it -becomes a common and widely used procedure. - -To start attesting your own patches: - -1. Make sure you have b4 version 0.6.0 or above: - ``b4 --version`` -2. If you don't already have a PGP key, you can follow the following - guide on how to generate it: - https://www.kernel.org/doc/html/latest/process/maintainer-pgp-guide.html -3. It is strongly recommended to use ed25519 as your signing key - algorithm, as it will result in much smaller signatures, preventing - unnecessary email header bloat. -4. Make sure your ``user.email`` and ``user.signingkey`` are set either - globally, or in the repository you will be using for attestation. -5. Add the ``sendemail-validate`` hook to each repository you want - enabled for attestation, with the following single line of content as - the hook body: - ``b4 attest $1``. - -If you are using b4 from git checkout, you can use a symlink instead:: - - ln -s path/to/b4/hooks/sendemail-validate-attestation-hook \ - .git/hooks/sendemail-validate - -(Note, that there's a second "E" in send*E*mail.) - -Next time you run ``git send-email``, b4 will automatically add -attestation headers to all patches before they go out. - -Verifying attestation on received patches -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +B4 implements two attestation verification mechanisms: + +- DKIM attestation using the dkimpy library +- X-Developer-Signature attestation using the patatt library + +If you installed from pip, you should have pulled both of these +dependencies in automatically. Alternatively, you can install dkimpy +from your OS packaging and then run "git submodule update --init" to +clone patatt as a submodule of b4. + +For attesting your outgoing patches, see patatt documentation. +https://git.kernel.org/pub/scm/utils/patatt/patatt.git/about/ + +Showing attestation on received patches +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are three attestation verification policies in b4: - check (default) @@ -101,38 +70,8 @@ You can set the preferred policy via the git configuration file:: [b4] attestation-policy = softfail -Using with mutt -~~~~~~~~~~~~~~~ -You can show patch attestation data with mutt, using the following -configuration parameters:: - - set display_filter="b4 -q attest -m" - ignore * - unignore from date subject to cc list-id: - unignore x-patch-hashes: x-patch-sig: - unignore attested-by: attestation-failed: - -When displaying a message containing in-header PGP attestation -signatures, mutt will display either the "Attested-By" or the -"Attestation-Failed" headers, e.g.:: - - Date: Mon, 23 Nov 2020 13:38:50 -0500 - From: Konstantin Ryabitsev <konstantin@linuxfoundation.org> - To: mricon@kernel.org - Subject: [PATCH 3/5] Fix in-header attestation code - Attested-By: Konstantin Ryabitsev <konstantin@linuxfoundation.org> (pgp: B6C41CE35664996C) - -or:: - - Date: Mon, 23 Nov 2020 13:38:48 -0500 - From: Konstantin Ryabitsev <konstantin@linuxfoundation.org> - To: mricon@kernel.org - Subject: [PATCH 1/5] Add not very simple dkim key caching - Attestation-Failed: signature failed (commit message, patch metadata) - - Support ------- For support or with any other questions, please email tools@linux.kernel.org, or browse the list archive at -https://linux.kernel.org/g/tools. +https://lore.kernel.org/tools. |