From f1a2700e70018349d5c63f2053ba4b0e7ebe351a Mon Sep 17 00:00:00 2001 From: Konstantin Ryabitsev Date: Tue, 11 May 2021 14:56:05 -0400 Subject: Reimplement attestation code one more time Move end-to-end attestation code into its own library: patatt. See https://git.kernel.org/pub/scm/utils/patatt/patatt.git/about/ It is included into b4 as a submodule, but you will need to init it first: git submodule update --init This change significantly simplifies our attestation code, dropping thousands of lines of rather hairy code. Notably, patatt-style attestation is incompatible with previous attestation implementations done directly in b4, but that's just as well -- we've always marked it as "experimental" and the lack of adoption was proving that we weren't on the right path. Next to come is keyring management and documentation. Signed-off-by: Konstantin Ryabitsev --- README.rst | 93 +++++++++++--------------------------------------------------- 1 file changed, 16 insertions(+), 77 deletions(-) (limited to 'README.rst') diff --git a/README.rst b/README.rst index 166eb9a..0fe5222 100644 --- a/README.rst +++ b/README.rst @@ -34,52 +34,21 @@ Setting up a symlink should also be possible. Patch attestation (EXPERIMENTAL) -------------------------------- -Starting with version 0.6, b4 implements in-header patch attestation, -following the approach proposed here: - -https://git.kernel.org/pub/scm/linux/kernel/git/mricon/patch-attestation-poc.git/tree/README.rst - -At this time, only PGP mode is implemented, but further work is expected -in future versions of b4. - -Attesting your own patches -~~~~~~~~~~~~~~~~~~~~~~~~~~ -Patch attestation is done via message headers and stays out of the way -of usual code submission and review workflow. At this time, only -maintainers using b4 to retrieve patches and patch series will benefit -from patch attestation, but everyone is encouraged to submit -cryptographic patch attestation with their work anyway, in hopes that it -becomes a common and widely used procedure. - -To start attesting your own patches: - -1. Make sure you have b4 version 0.6.0 or above: - ``b4 --version`` -2. If you don't already have a PGP key, you can follow the following - guide on how to generate it: - https://www.kernel.org/doc/html/latest/process/maintainer-pgp-guide.html -3. It is strongly recommended to use ed25519 as your signing key - algorithm, as it will result in much smaller signatures, preventing - unnecessary email header bloat. -4. Make sure your ``user.email`` and ``user.signingkey`` are set either - globally, or in the repository you will be using for attestation. -5. Add the ``sendemail-validate`` hook to each repository you want - enabled for attestation, with the following single line of content as - the hook body: - ``b4 attest $1``. - -If you are using b4 from git checkout, you can use a symlink instead:: - - ln -s path/to/b4/hooks/sendemail-validate-attestation-hook \ - .git/hooks/sendemail-validate - -(Note, that there's a second "E" in send*E*mail.) - -Next time you run ``git send-email``, b4 will automatically add -attestation headers to all patches before they go out. - -Verifying attestation on received patches -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +B4 implements two attestation verification mechanisms: + +- DKIM attestation using the dkimpy library +- X-Developer-Signature attestation using the patatt library + +If you installed from pip, you should have pulled both of these +dependencies in automatically. Alternatively, you can install dkimpy +from your OS packaging and then run "git submodule update --init" to +clone patatt as a submodule of b4. + +For attesting your outgoing patches, see patatt documentation. +https://git.kernel.org/pub/scm/utils/patatt/patatt.git/about/ + +Showing attestation on received patches +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are three attestation verification policies in b4: - check (default) @@ -101,38 +70,8 @@ You can set the preferred policy via the git configuration file:: [b4] attestation-policy = softfail -Using with mutt -~~~~~~~~~~~~~~~ -You can show patch attestation data with mutt, using the following -configuration parameters:: - - set display_filter="b4 -q attest -m" - ignore * - unignore from date subject to cc list-id: - unignore x-patch-hashes: x-patch-sig: - unignore attested-by: attestation-failed: - -When displaying a message containing in-header PGP attestation -signatures, mutt will display either the "Attested-By" or the -"Attestation-Failed" headers, e.g.:: - - Date: Mon, 23 Nov 2020 13:38:50 -0500 - From: Konstantin Ryabitsev - To: mricon@kernel.org - Subject: [PATCH 3/5] Fix in-header attestation code - Attested-By: Konstantin Ryabitsev (pgp: B6C41CE35664996C) - -or:: - - Date: Mon, 23 Nov 2020 13:38:48 -0500 - From: Konstantin Ryabitsev - To: mricon@kernel.org - Subject: [PATCH 1/5] Add not very simple dkim key caching - Attestation-Failed: signature failed (commit message, patch metadata) - - Support ------- For support or with any other questions, please email tools@linux.kernel.org, or browse the list archive at -https://linux.kernel.org/g/tools. +https://lore.kernel.org/tools. -- cgit v1.2.3