Rad Commit

[sebastinez]

This issue should be a draft for an eventual specification to how git commits should be formatted if we want to use multiple git trailers and different types of signatures (gpg, ed25519) to improve the way the verification of the authors, committer and others who participated in a commit.

Status quo

• Currently, the commit stores regarding the user information a display name and email of author and committer.
• Anyone can change the display name and email to one of his choosing.

Concept

• The information to be signed could be created during a pre-commit hook and signed by a HW or with a keystore file.
• Allow signatures for each author, committer and even reviewers.
• Signatures instead of being part of the commit header would be part of the commit trailer
• Signatures could be encoded in some way to reduce size of trailer.
• Verification of one or multiple commits against a listing of public keys. (eg. Ethereum addresses)

Discussion Points

• Encoding of the trailer signature (base58, base64, others?)
• Definition of property names of trailers (eg. Signed-off-by, Committed-by, Co-authored-by, Reviewed-by )
• To allow various types of signatures I can imagine that we could use some kind of URN similar to the Radicle URN eg. eip155:<sig>, gpg:<sig>

Example

tree d7c7e1e0b8ba6ea8697ea2717d8530d8eeb561da
parent 3e8d2a29ff4165bcad080ea77527bf9c64e5bd3a
author Sebastian Martinez <[email protected]> 1631548042 +0200
committer Sebastian Martinez <[email protected]> 1631548042 +0200

Some tests with trailers
    
Signed-off-by: Sebastian Martinez <eip155:OgY1RkrDksKiw5gqw5PDp3LDpsO7w6rDrcOkw4JBw6jDmwFcwpZZKlhUEMKPwoZ/cDxOw7vDmlPCksKDKT/CnmAuw5dTZ2BPwoPDukbCkn/CpsO7wpE+YwhCSxob>
Reviewed-by: John Doe <eip155:GcOMw6BzCcKKXVTDrcKvwqJ1ZFYqwrVxwqrDl0EHLMOnS8OKQMOGw6nCqMOpccOtDcOMMcKTwqjCkcKnw6giworDoGIAXibCpcK6w5/CpEHCvsKuw7Apw4lQd2LDv03DrsK5HA==>
Committed-by: Alexis Sellier <eip155:XMKFKDjDrcKxwqzCt8KGMsO0B8KXw61QwonClMKPwrhVM1XDiMK/wrUSwohhw4LCt8OKS1xMRgbCj3pzwqNTB8OuNcKFXCvDmcKbw7lNwoU/fMOcbE7CrBvDpsORJxHDphs=>

[cloudhead]

Nice.

Yeah, I like the URN approach. What I'm wondering is if the signature includes the public key or if we can separate them for ease of use. Also, I would keep the email address too as optional. Basically something like:

Signed-off-by: Alexis Sellier <[email protected]> eip155:OgY1RkrDksKiw5gqw5PDp3LDpsO7w6rDrcOkw4JBw6jDmwFcwpZZKlhUEMKPwoZ

In terms of encoding my preference would be with base58, but we could also consider using multibase..

Actually perhaps the email shouldn't be optional, as this allows other parsers to simply ignore what comes after the email..

[sebastinez]

What I'm wondering is if the signature includes the public key

The signature does not include the public key. It is a ed25519 signature, signing the same content that gets signed by GPG when signing a commit, we could also allow GPG signatures in the trailer which alao won't store the public key.

The issue I discovered, is that by bringing commit signatures into the commit msg we are essentially allowing users to remove existing signatures..
The forgery of signatures should not be a problem, since this would mean that a users private key has been obtained by a third party.
But if eg I sign a commit and my signature gets stored in a commit msg trailer another user could remove my contribution and my signature from this commit..

With the encoding and the email part I concur. 👍

[cloudhead]

I don't understand, why would users remove signatures? And how would they even be able to without changing the commit hash?

[cloudhead]

One important thing to remember also is when signing the commit via trailers, you can't sign the commit hash, since the commit hash will be a function of the commit message, so instead it probably make sense to sign the tree.

[sebastinez]

I don't understand, why would users remove signatures? And how would they even be able to without changing the commit hash?

You're right, since the commit hash is being generated through the commit body and header, this shouldn't be a problem.
Eventually we should also think about how the committer, obtains the signatures from the other users.
Could eventually be part of a pre-commit hook where the committer could request the signatures from all the persons involved..

One important thing to remember also is when signing the commit via trailers, you can't sign the commit hash, since the commit hash will be a function of the commit message, so instead it probably make sense to sign the tree.

Okay yeah the tree would be better, since we don't now the final commit message until the commit happens..

[sebastinez]

Has been deprioritized in favor of #2