On Tue, Aug 29, 2023 at 12:15:10AM +1000, Allan McRae wrote:
However, I am not convinced that repos using a mixture of GPG and openssh signatures should not be supported. See below.
I assume the last not was extraneous right ? Given the rest.
Signature type detection would be interesting, but I see it being brittle/complex if/when alternative signing methods get added.
As far as I can tell, the signature formats of minisign and signify are quite close (signify can verify minisign signatures, but not the other way around[1]) and include the following header: untrusted comment: <arbitrary text> Which could be used to distinguish types. Both SSH and GPG also have a header. Of course that header is necessarily untrusted, so every signature verification method should independently verify the signature structure without ever relying on the detected type.
Having a single configurable signing method per repo removes the need to even deal with this.
[...]
Overall, I am happy for this idea to move forward. My suspicion is that some initial refactoring may be needed to ease the addition of new signature formats. Without looking in detail, I suspect doing that would be a good place to start.
Allan
Great ! I'm going to take a look at the codebase and see what I can come up with. Given the discussion, I'll first focus on implementing support for configuring the signature method globally/per repo + the openssh signature format (and refactoring, if indeed needed). Signature type detection and "mixed signature method" repos if we eventually go that way can be added later on. Thanks [1]: https://github.com/jedisct1/minisign/issues/59#issuecomment-654809237 -- Max Gautier