Web lists-archives.com

Re: [REQ] Allow alternatives to gpg




On Sat, Apr 15, 2017 at 08:10:41PM -0700, Nathan McSween wrote:

> I would like to try to make git signing pluggable, this would allow for
> using tools such as signify[1].
> Now I'm wondering if this endeavor is worth taking and what would need to be
> changed besides
> gpg-interface?
> 
> [1] http://man.openbsd.org/signify

I haven't used signify, but I have played around a bit with using gpgsm
with git. You can actually get pretty far without writing any code by
tweaking gpg.program, as long as:

  - your tool can generate and verify detached signatures

  - it follows the gpg command-line convention (or you wrap it in a
    script which converts the two)

There are a few quirks around detecting the "BEGIN PGP MESSAGE" block.
It's not necessary for tag signatures, but is for commit signatures
(IIRC). There's some discussion in this thread:

  http://public-inbox.org/git/1459432304-35779-1-git-send-email-cmn@xxxxxxx/T/#u

Which isn't to say we shouldn't teach Git natively to understand more
encryption types. But it may be useful to prototype and get experience
first by plugging the tool in via the config.

(I don't have opinions on signify itself as a tool for general purpose
signatures).

-Peff