[Cryptech Tech] Fwd: Second hash via EIM

[Павел Шатов]

On 20.02.2015 1:14, Rob Austein wrote:
> At Thu, 12 Feb 2015 12:42:25 +0300, Шатов Павел wrote:
>>
>> Yes, I'd be glad to continue working on this project. Last time we discussed
>> this, it was told that I must sign all the code that I upload. Could someone
>> give me an instruction on how to do this properly and not break anything,
>> please? Unfortunately I'm only familiar with SVN, but not Git.
>
> Apologies for delay in answer this (skiing holiday followed by various
> weather-related distractions at home).
>
> There are a number of git tutorials for basic stuff, I can dig out
> URLs, or maybe others have favorites.  One I particularly liked
> explains all git core operations using graph theory (git commit
> objects are the nodes, repository history forms a digraph).
>
> The most obvious difference between svn and git from the casual user's
> point of view is that "commit" and "push" are separate operations in
> git: you commit to your own repository, then when you're happy with
> what you've committed you push one or more commit objects upstream
> (well, actually, you can push them anywhere you like, git gives you
> kilometers of rope here, but upstream is the most useful place).
> Similarly, fetching commits from upstream and checking them out into
> one's own working tree are separate operations, although this is a
> common enough combination that "git pull" (sometimes) does both.
>
> Stuff specific to our project: yes, we require all commit objects
> pushed to the git.cryptech.is repositories to be signed by a known PGP
> key, and yes, we're annoyingly serious about this, because we want a
> signed audit trail.  As Joachim discovered the hard way, this
> requirement includes commit objects generated by "git merge", so one
> must remember to specify "-S" to both "git commit" and "git merge" or
> use the option to "git merge" which disables automatic commit; there
> are equivalent "git config" variables one can set if one doesn't want
> to have to remember to specify such things manually every time.
>
> I think i sent you the setup procedure a few weeks ago, let me know if
> you need me to send it again.  Summary: I need your PGP and SSH public
> keys, the PGP key must be signed by a key I can validate (Basil is the
> obvious choice in your case), and the SSH key must be signed by the
> PGP key.

Thank you for such a detailed explanation. Could you please send me this 
setup procedure description once again, please?

> Once you're an authorized user (read: have the ability to push stuff
> to existing repositories and create new ones), you can just use the
> ssh interface:
>
>    $ ssh git at git.cryptech.is help
>    $ git clone git at git.cryptech.is:foo/bar.git
>    ...
>
> If you have existing clones of our repositories you can switch them
> using "git remote", or just clone them again, whatever's easiest.
>
> No doubt we should collect this and all the previous git discussions
> in the mailing list archives into a Wiki page when someone has time.
>