我如何在本地验证 git 提交签名
How can I locally verify a git commit signature
因此,作为练习,我正在尝试弄清楚如何在本地验证 git 提交签名。
作为示例,我使用 https://github.com/ethereum/go-ethereum/commit/0a68558e7e025afebf67b81bf48ecb8b0fa7c06d。
此 sig 的 public 密钥是 https://github.com/web-flow.gpg。
当我运行以下
git verify-commit 0a68558e7e025afebf67b81bf48ecb8b0fa7c06d
我得到的结果是有效提交。
但是我想找出一种方法来编写脚本来执行此操作。
我定义了两个文件
commit.txt
commit 0a68558e7e025afebf67b81bf48ecb8b0fa7c06d
Author: Péter Szilágyi <peterke@gmail.com>
Date: Fri Aug 13 15:39:51 2021 +0300
accounts/external: handle 0 chainid as not-set for the Clef API (#23394)
* accounts/external: handle 0 chainid as not-set for the Clef API
* accounts/external: document SignTx
Co-authored-by: Felix Lange <fjl@twurst.com>
然后使用 git cat-file -p <commit-hash> 我得到签名并将其存储在文件中 doc.sig
-----BEGIN PGP SIGNATURE-----
wsBcBAABCAAQBQJhFmgXCRBK7hj4Ov3rIwAAkpoIACFP0wLY/5WA3rHgrU2s/6lT
DdTOK7HNnh00bJIEplGoVvMWku0mAHAgp8t+oerhQlwHC8quBIxo9ozzz7UBj0Aa
3VjFSBXnX5KCkW8kY8ZxT4xnuXgFJ/O5z59qSh+3S1Lt/B6c2ERP+3T6oylR+LMt
/Icr901l24kRKNOkjM6cM5jDGVpD+7CLQQKmwcq8A5Ee14EF+H2+/XaFJmilYhfL
r/BY4aPvQDP18vhwTKOVTpVzGmjLn/i0OU6kAfcY2LSzhfSJ0rlenQ0JQE4kK9KM
dh1E8WvySYOh7WD9iKkNPP2VbXuPoNaVQIwkJ06kab8edvKw1qQsWpogMtKlQAI=
=qe4m
-----END PGP SIGNATURE-----
然而当我运行
gpg verify doc.sig commit.txt
我得到以下内容
gpg: Signature made Fri Aug 13 05:39:51 2021 PDT
gpg: using RSA key 4AEE18F83AFDEB23
gpg: BAD signature from "GitHub (web-flow commit signing) <noreply@github.com>" [unknown]
我尝试通过 openpgpjs 脚本 运行 验证签名时得到类似的结果 https://github.com/openpgpjs/openpgpjs
任何人都知道我可能做错了什么。
您从 git log 看到的输出不是实际的提交数据。要查看实际提交数据,运行 git cat-file commit OID:
tree d51ae01e7bd033c28b98e2e70fb5920cd5fe269f
parent fd604becbb952cc46111a77ea4e5b76b4617fa49
author Péter Szilágyi <peterke@gmail.com> 1628858391 +0300
committer GitHub <noreply@github.com> 1628858391 +0300
gpgsig -----BEGIN PGP SIGNATURE-----
wsBcBAABCAAQBQJhFmgXCRBK7hj4Ov3rIwAAkpoIACFP0wLY/5WA3rHgrU2s/6lT
DdTOK7HNnh00bJIEplGoVvMWku0mAHAgp8t+oerhQlwHC8quBIxo9ozzz7UBj0Aa
3VjFSBXnX5KCkW8kY8ZxT4xnuXgFJ/O5z59qSh+3S1Lt/B6c2ERP+3T6oylR+LMt
/Icr901l24kRKNOkjM6cM5jDGVpD+7CLQQKmwcq8A5Ee14EF+H2+/XaFJmilYhfL
r/BY4aPvQDP18vhwTKOVTpVzGmjLn/i0OU6kAfcY2LSzhfSJ0rlenQ0JQE4kK9KM
dh1E8WvySYOh7WD9iKkNPP2VbXuPoNaVQIwkJ06kab8edvKw1qQsWpogMtKlQAI=
=qe4m
-----END PGP SIGNATURE-----
accounts/external: handle 0 chainid as not-set for the Clef API (#23394)
* accounts/external: handle 0 chainid as not-set for the Clef API
* accounts/external: document SignTx
Co-authored-by: Felix Lange <fjl@twurst.com>
请注意,这里的提交不以换行符结尾。
您将 gpgsig header(或 gpgsig-sha256 header)及其尾随行一起删除,这就是签名所基于的数据:
tree d51ae01e7bd033c28b98e2e70fb5920cd5fe269f
parent fd604becbb952cc46111a77ea4e5b76b4617fa49
author Péter Szilágyi <peterke@gmail.com> 1628858391 +0300
committer GitHub <noreply@github.com> 1628858391 +0300
accounts/external: handle 0 chainid as not-set for the Clef API (#23394)
* accounts/external: handle 0 chainid as not-set for the Clef API
* accounts/external: document SignTx
Co-authored-by: Felix Lange <fjl@twurst.com>
签名是 gpgsig header 中的数据,或者对于 SHA-256 存储库,gpgsig-sha256 header.
您不应复制和粘贴此数据,因为签名需要准确的数据才能匹配。相反,您可以这样做:
$ git cat-file commit HEAD | sed -e'/^gpgsig/d; /^ /d' >commit
$ git cat-file commit HEAD | sed -ne'/^gpgsig/,/---END/s/^[a-z]* //p' >sig
$ gpg --verify sig commit
因此,作为练习,我正在尝试弄清楚如何在本地验证 git 提交签名。
作为示例,我使用 https://github.com/ethereum/go-ethereum/commit/0a68558e7e025afebf67b81bf48ecb8b0fa7c06d。
此 sig 的 public 密钥是 https://github.com/web-flow.gpg。
当我运行以下
git verify-commit 0a68558e7e025afebf67b81bf48ecb8b0fa7c06d
我得到的结果是有效提交。
但是我想找出一种方法来编写脚本来执行此操作。
我定义了两个文件
commit.txt
commit 0a68558e7e025afebf67b81bf48ecb8b0fa7c06d
Author: Péter Szilágyi <peterke@gmail.com>
Date: Fri Aug 13 15:39:51 2021 +0300
accounts/external: handle 0 chainid as not-set for the Clef API (#23394)
* accounts/external: handle 0 chainid as not-set for the Clef API
* accounts/external: document SignTx
Co-authored-by: Felix Lange <fjl@twurst.com>
然后使用 git cat-file -p <commit-hash> 我得到签名并将其存储在文件中 doc.sig
-----BEGIN PGP SIGNATURE-----
wsBcBAABCAAQBQJhFmgXCRBK7hj4Ov3rIwAAkpoIACFP0wLY/5WA3rHgrU2s/6lT
DdTOK7HNnh00bJIEplGoVvMWku0mAHAgp8t+oerhQlwHC8quBIxo9ozzz7UBj0Aa
3VjFSBXnX5KCkW8kY8ZxT4xnuXgFJ/O5z59qSh+3S1Lt/B6c2ERP+3T6oylR+LMt
/Icr901l24kRKNOkjM6cM5jDGVpD+7CLQQKmwcq8A5Ee14EF+H2+/XaFJmilYhfL
r/BY4aPvQDP18vhwTKOVTpVzGmjLn/i0OU6kAfcY2LSzhfSJ0rlenQ0JQE4kK9KM
dh1E8WvySYOh7WD9iKkNPP2VbXuPoNaVQIwkJ06kab8edvKw1qQsWpogMtKlQAI=
=qe4m
-----END PGP SIGNATURE-----
然而当我运行
gpg verify doc.sig commit.txt
我得到以下内容
gpg: Signature made Fri Aug 13 05:39:51 2021 PDT
gpg: using RSA key 4AEE18F83AFDEB23
gpg: BAD signature from "GitHub (web-flow commit signing) <noreply@github.com>" [unknown]
我尝试通过 openpgpjs 脚本 运行 验证签名时得到类似的结果 https://github.com/openpgpjs/openpgpjs
任何人都知道我可能做错了什么。
您从 git log 看到的输出不是实际的提交数据。要查看实际提交数据,运行 git cat-file commit OID:
tree d51ae01e7bd033c28b98e2e70fb5920cd5fe269f
parent fd604becbb952cc46111a77ea4e5b76b4617fa49
author Péter Szilágyi <peterke@gmail.com> 1628858391 +0300
committer GitHub <noreply@github.com> 1628858391 +0300
gpgsig -----BEGIN PGP SIGNATURE-----
wsBcBAABCAAQBQJhFmgXCRBK7hj4Ov3rIwAAkpoIACFP0wLY/5WA3rHgrU2s/6lT
DdTOK7HNnh00bJIEplGoVvMWku0mAHAgp8t+oerhQlwHC8quBIxo9ozzz7UBj0Aa
3VjFSBXnX5KCkW8kY8ZxT4xnuXgFJ/O5z59qSh+3S1Lt/B6c2ERP+3T6oylR+LMt
/Icr901l24kRKNOkjM6cM5jDGVpD+7CLQQKmwcq8A5Ee14EF+H2+/XaFJmilYhfL
r/BY4aPvQDP18vhwTKOVTpVzGmjLn/i0OU6kAfcY2LSzhfSJ0rlenQ0JQE4kK9KM
dh1E8WvySYOh7WD9iKkNPP2VbXuPoNaVQIwkJ06kab8edvKw1qQsWpogMtKlQAI=
=qe4m
-----END PGP SIGNATURE-----
accounts/external: handle 0 chainid as not-set for the Clef API (#23394)
* accounts/external: handle 0 chainid as not-set for the Clef API
* accounts/external: document SignTx
Co-authored-by: Felix Lange <fjl@twurst.com>
请注意,这里的提交不以换行符结尾。
您将 gpgsig header(或 gpgsig-sha256 header)及其尾随行一起删除,这就是签名所基于的数据:
tree d51ae01e7bd033c28b98e2e70fb5920cd5fe269f
parent fd604becbb952cc46111a77ea4e5b76b4617fa49
author Péter Szilágyi <peterke@gmail.com> 1628858391 +0300
committer GitHub <noreply@github.com> 1628858391 +0300
accounts/external: handle 0 chainid as not-set for the Clef API (#23394)
* accounts/external: handle 0 chainid as not-set for the Clef API
* accounts/external: document SignTx
Co-authored-by: Felix Lange <fjl@twurst.com>
签名是 gpgsig header 中的数据,或者对于 SHA-256 存储库,gpgsig-sha256 header.
您不应复制和粘贴此数据,因为签名需要准确的数据才能匹配。相反,您可以这样做:
$ git cat-file commit HEAD | sed -e'/^gpgsig/d; /^ /d' >commit
$ git cat-file commit HEAD | sed -ne'/^gpgsig/,/---END/s/^[a-z]* //p' >sig
$ gpg --verify sig commit