All geek questions in one place

How is the fixation of work?

I am now wondering how git capturing a signature exactly works.

I tried to find this, but could not find the exact technical documentation. I know how to make git commit subscription, but I wonder what exactly git does to sign a commit.

What exactly is this subscribing to? This is the complete data inside the repository for a given commit, so the data, such as the commit message, etc., and the data of all the files? Or is it just a commit with pointers to contained files, etc.?

+5
source share
2 answers

Although it is not documented anywhere, a review of the source code shows that this is all the contents of the commit object. Then the contents will be changed to insert the signature, so the verification process should deprive the signature in a separate buffer and transfer the initial data of the preliminary signature to the GPG signing.

The GPG signature data is then executed when calculating the SHA-1 checksum for commit to become a commit hash identifier. See gpg-interface.c and commit.c , sign_buffer and do_sign_commit respectively. The tag signature is located in builtin/tag.c (see do_sign Function and its calling object); signed tags have their own signatures, not inserted, but otherwise it works in much the same way.

+2
source

This is the raw commit object returned by git cat-file (with remote signature) that is signed. If HEAD is a signed commit, you can verify the signature manually as follows:

 git cat-file commit HEAD > signed-commit grep -B 9999 'BEGIN PGP SIGNATURE-----' signed-commit | head -n -1 > signed-commit.stripped grep -A 9999 'END PGP SIGNATURE-----' signed-commit | tail -n +2 >> signed-commit.stripped sed 's/^gpgsig //' signed-commit | sed 's/^ //' > signed-commit.sig gpg --verify signed-commit.sig signed-commit.stripped
0
source

Source: https://habr.com/ru/post/1264673/

More articles:


All Articles