[FFmpeg-devel] [PATCH v2] doc/git-howto.texi: Document commit signing

[FFmpeg-devel] [PATCH v2] doc/git-howto.texi: Document commit signing

[Michael Niedermayer]

From: Michael Niedermayer <michael-git@niedermayer.cc>

Signed-off-by: Michael Niedermayer <michael-git@niedermayer.cc>
---
 doc/git-howto.texi | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/doc/git-howto.texi b/doc/git-howto.texi
index 874afabbbc..48389751a4 100644
--- a/doc/git-howto.texi
+++ b/doc/git-howto.texi
@@ -187,11 +187,18 @@ to make sure you don't have untracked files or deletions.
 git add [-i|-p|-A] <filenames/dirnames>
 @end example
 
-Make sure you have told Git your name and email address
+Make sure you have told Git your name, email address and GPG key
 
 @example
 git config --global user.name "My Name"
 git config --global user.email my@@email.invalid
+git config --global user.signingkey ABCDEF0123245
+@end example
+
+Enable signing all commits or use -S
+
+@example
+git config --global commit.gpgsign true
 @end example
 
 Use @option{--global} to set the global configuration for all your Git checkouts.
@@ -423,6 +430,19 @@ git checkout -b svn_23456 $SHA1
 where @var{$SHA1} is the commit hash from the @command{git log} output.
 
 
+@chapter gpg key generation
+
+If you have no gpg key yet, we recommand that you create a ed25519 based key as it
+is small, fast and secure. Especially it results in small signatures in git.
+
+@example
+gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr" --quick-generate-key "human@server.com"
+@end example
+
+When genarting a key, make sure the email specified matches the email used in git as some sites like
+github consider mismatches a reason to declare such commits unverified. After generating a key you
+can add it to the MAINTAINER file and upload it to a keyserver.
+
 @chapter Pre-push checklist
 
 Once you have a set of commits that you feel are ready for pushing,
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH v2] doc/git-howto.texi: Document commit signing

[James Almer]

On 8/9/2022 4:34 PM, Michael Niedermayer wrote:
> From: Michael Niedermayer <michael-git@niedermayer.cc>
> 
> Signed-off-by: Michael Niedermayer <michael-git@niedermayer.cc>
> ---
>   doc/git-howto.texi | 22 +++++++++++++++++++++-
>   1 file changed, 21 insertions(+), 1 deletion(-)
> 
> diff --git a/doc/git-howto.texi b/doc/git-howto.texi
> index 874afabbbc..48389751a4 100644
> --- a/doc/git-howto.texi
> +++ b/doc/git-howto.texi
> @@ -187,11 +187,18 @@ to make sure you don't have untracked files or deletions.
>   git add [-i|-p|-A] <filenames/dirnames>
>   @end example
>   
> -Make sure you have told Git your name and email address
> +Make sure you have told Git your name, email address and GPG key
>   
>   @example
>   git config --global user.name "My Name"
>   git config --global user.email my@@email.invalid
> +git config --global user.signingkey ABCDEF0123245
> +@end example
> +
> +Enable signing all commits or use -S
> +
> +@example
> +git config --global commit.gpgsign true
>   @end example
>   
>   Use @option{--global} to set the global configuration for all your Git checkouts.
> @@ -423,6 +430,19 @@ git checkout -b svn_23456 $SHA1
>   where @var{$SHA1} is the commit hash from the @command{git log} output.
>   
>   
> +@chapter gpg key generation
> +
> +If you have no gpg key yet, we recommand that you create a ed25519 based key as it

Recommend.

> +is small, fast and secure. Especially it results in small signatures in git.
> +
> +@example
> +gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr" --quick-generate-key "human@server.com"
> +@end example
> +
> +When genarting a key, make sure the email specified matches the email used in git as some sites like

Generating

> +github consider mismatches a reason to declare such commits unverified. After generating a key you
> +can add it to the MAINTAINER file and upload it to a keyserver.

Maybe link some external documentation about gpg keys, explaining the 
difference between public and private keys, how to encrypt the private 
one with a passphrase, etc.
Sites like gitlab tell you to not attempt to upload private keys, so i 
imagine quite a lot of people have mistakenly done so in the past.

> +
>   @chapter Pre-push checklist
>   
>   Once you have a set of commits that you feel are ready for pushing,
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH v2] doc/git-howto.texi: Document commit signing

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 3572 bytes --]

On Tue, Aug 09, 2022 at 04:38:56PM -0300, James Almer wrote:
> On 8/9/2022 4:34 PM, Michael Niedermayer wrote:
> > From: Michael Niedermayer <michael-git@niedermayer.cc>
> > 
> > Signed-off-by: Michael Niedermayer <michael-git@niedermayer.cc>
> > ---
> >   doc/git-howto.texi | 22 +++++++++++++++++++++-
> >   1 file changed, 21 insertions(+), 1 deletion(-)
> > 
> > diff --git a/doc/git-howto.texi b/doc/git-howto.texi
> > index 874afabbbc..48389751a4 100644
> > --- a/doc/git-howto.texi
> > +++ b/doc/git-howto.texi
> > @@ -187,11 +187,18 @@ to make sure you don't have untracked files or deletions.
> >   git add [-i|-p|-A] <filenames/dirnames>
> >   @end example
> > -Make sure you have told Git your name and email address
> > +Make sure you have told Git your name, email address and GPG key
> >   @example
> >   git config --global user.name "My Name"
> >   git config --global user.email my@@email.invalid
> > +git config --global user.signingkey ABCDEF0123245
> > +@end example
> > +
> > +Enable signing all commits or use -S
> > +
> > +@example
> > +git config --global commit.gpgsign true
> >   @end example
> >   Use @option{--global} to set the global configuration for all your Git checkouts.
> > @@ -423,6 +430,19 @@ git checkout -b svn_23456 $SHA1
> >   where @var{$SHA1} is the commit hash from the @command{git log} output.
> > +@chapter gpg key generation
> > +
> > +If you have no gpg key yet, we recommand that you create a ed25519 based key as it
> 
> Recommend.
> 
> > +is small, fast and secure. Especially it results in small signatures in git.
> > +
> > +@example
> > +gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr" --quick-generate-key "human@server.com"
> > +@end example
> > +
> > +When genarting a key, make sure the email specified matches the email used in git as some sites like
> 
> Generating

ok


> 
> > +github consider mismatches a reason to declare such commits unverified. After generating a key you
> > +can add it to the MAINTAINER file and upload it to a keyserver.
> 
> Maybe link some external documentation about gpg keys, explaining the
> difference between public and private keys, 

what do you recommend ?


> how to encrypt the private one
> with a passphrase, etc.

Have you tried to generate a gpg key without a passphrase ?
I just tried, and failed, gpg keeps asking for a passphrase until you enter
one or kill it. It kept haunting me and asking for a passphrase even after
trying ctrl-c 


> Sites like gitlab tell you to not attempt to upload private keys, 

ok


> so i
> imagine quite a lot of people have mistakenly done so in the past.

imagine?

but what do you suggest? we can document how someone can create a key
upload it and so on. You can provide me with a url that describes a
working documentation for that, i surely do not have one. alot of
documentations are somewhat bad. Many keyservers have died recently
some existing keys like DSA seem to have some affinity to SHA1, and
SHA1 is rejected today while at the same time still default on many
setups, the one documentation i saw today to fix that DSA/SHA1 issue
requires you to have a backup as it breaks your keys and is wrong.


thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Breaking DRM is a little like attempting to break through a door even
though the window is wide open and the only thing in the house is a bunch
of things you dont want and which you would get tomorrow for free anyway

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH v2] doc/git-howto.texi: Document commit signing

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2120 bytes --]

On Wed, Aug 10, 2022 at 12:19:02AM +0200, Michael Niedermayer wrote:
> On Tue, Aug 09, 2022 at 04:38:56PM -0300, James Almer wrote:
> > On 8/9/2022 4:34 PM, Michael Niedermayer wrote:
> > > From: Michael Niedermayer <michael-git@niedermayer.cc>
[...]
> 
> > 
> > > +github consider mismatches a reason to declare such commits unverified. After generating a key you
> > > +can add it to the MAINTAINER file and upload it to a keyserver.
> > 
> > Maybe link some external documentation about gpg keys, explaining the
> > difference between public and private keys, 
> 
> what do you recommend ?

ping ?
we could link to the gpg docs but that seems kind of silly


> 
> 
> > how to encrypt the private one
> > with a passphrase, etc.
> 
> Have you tried to generate a gpg key without a passphrase ?
> I just tried, and failed, gpg keeps asking for a passphrase until you enter
> one or kill it. It kept haunting me and asking for a passphrase even after
> trying ctrl-c 
> 
> 
> > Sites like gitlab tell you to not attempt to upload private keys, 
> 
> ok
> 
> 
> > so i
> > imagine quite a lot of people have mistakenly done so in the past.
> 
> imagine?
> 
> but what do you suggest? we can document how someone can create a key
> upload it and so on. You can provide me with a url that describes a
> working documentation for that, i surely do not have one. alot of
> documentations are somewhat bad. Many keyservers have died recently
> some existing keys like DSA seem to have some affinity to SHA1, and
> SHA1 is rejected today while at the same time still default on many
> setups, the one documentation i saw today to fix that DSA/SHA1 issue
> requires you to have a backup as it breaks your keys and is wrong.




[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Dictatorship: All citizens are under surveillance, all their steps and
actions recorded, for the politicians to enforce control.
Democracy: All politicians are under surveillance, all their steps and
actions recorded, for the citizens to enforce control.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH v2] doc/git-howto.texi: Document commit signing

[James Almer]

On 8/23/2022 3:00 PM, Michael Niedermayer wrote:
> On Wed, Aug 10, 2022 at 12:19:02AM +0200, Michael Niedermayer wrote:
>> On Tue, Aug 09, 2022 at 04:38:56PM -0300, James Almer wrote:
>>> On 8/9/2022 4:34 PM, Michael Niedermayer wrote:
>>>> From: Michael Niedermayer <michael-git@niedermayer.cc>
> [...]
>>
>>>
>>>> +github consider mismatches a reason to declare such commits unverified. After generating a key you
>>>> +can add it to the MAINTAINER file and upload it to a keyserver.
>>>
>>> Maybe link some external documentation about gpg keys, explaining the
>>> difference between public and private keys,
>>
>> what do you recommend ?
> 
> ping ?
> we could link to the gpg docs but that seems kind of silly

I have no recommendation.

> 
> 
>>
>>
>>> how to encrypt the private one
>>> with a passphrase, etc.
>>
>> Have you tried to generate a gpg key without a passphrase ?

I probably mixed it in my mind with ssh keys, where you can store a 
private key unencrypted.

>> I just tried, and failed, gpg keeps asking for a passphrase until you enter
>> one or kill it. It kept haunting me and asking for a passphrase even after
>> trying ctrl-c
>>
>>
>>> Sites like gitlab tell you to not attempt to upload private keys,
>>
>> ok
>>
>>
>>> so i
>>> imagine quite a lot of people have mistakenly done so in the past.
>>
>> imagine?

"Every sign has a story". If Gitlab tells you to make sure to not 
attempt to upload a private key, then it could be that it has happened 
at some point.

>>
>> but what do you suggest? we can document how someone can create a key
>> upload it and so on. You can provide me with a url that describes a
>> working documentation for that, i surely do not have one. alot of
>> documentations are somewhat bad. Many keyservers have died recently
>> some existing keys like DSA seem to have some affinity to SHA1, and
>> SHA1 is rejected today while at the same time still default on many
>> setups, the one documentation i saw today to fix that DSA/SHA1 issue
>> requires you to have a backup as it breaks your keys and is wrong.

If there's no good documentation or tutorial for this, then lets not 
bother with it. Your patch should be fine as is.

> 
> 
> 
> 
> [...]
> 
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH v2] doc/git-howto.texi: Document commit signing

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2760 bytes --]

On Tue, Aug 23, 2022 at 03:07:53PM -0300, James Almer wrote:
> On 8/23/2022 3:00 PM, Michael Niedermayer wrote:
> > On Wed, Aug 10, 2022 at 12:19:02AM +0200, Michael Niedermayer wrote:
> > > On Tue, Aug 09, 2022 at 04:38:56PM -0300, James Almer wrote:
> > > > On 8/9/2022 4:34 PM, Michael Niedermayer wrote:
> > > > > From: Michael Niedermayer <michael-git@niedermayer.cc>
> > [...]
> > > 
> > > > 
> > > > > +github consider mismatches a reason to declare such commits unverified. After generating a key you
> > > > > +can add it to the MAINTAINER file and upload it to a keyserver.
> > > > 
> > > > Maybe link some external documentation about gpg keys, explaining the
> > > > difference between public and private keys,
> > > 
> > > what do you recommend ?
> > 
> > ping ?
> > we could link to the gpg docs but that seems kind of silly
> 
> I have no recommendation.
> 
> > 
> > 
> > > 
> > > 
> > > > how to encrypt the private one
> > > > with a passphrase, etc.
> > > 
> > > Have you tried to generate a gpg key without a passphrase ?
> 
> I probably mixed it in my mind with ssh keys, where you can store a private
> key unencrypted.
> 
> > > I just tried, and failed, gpg keeps asking for a passphrase until you enter
> > > one or kill it. It kept haunting me and asking for a passphrase even after
> > > trying ctrl-c
> > > 
> > > 
> > > > Sites like gitlab tell you to not attempt to upload private keys,
> > > 
> > > ok
> > > 
> > > 
> > > > so i
> > > > imagine quite a lot of people have mistakenly done so in the past.
> > > 
> > > imagine?
> 
> "Every sign has a story". If Gitlab tells you to make sure to not attempt to
> upload a private key, then it could be that it has happened at some point.
> 
> > > 
> > > but what do you suggest? we can document how someone can create a key
> > > upload it and so on. You can provide me with a url that describes a
> > > working documentation for that, i surely do not have one. alot of
> > > documentations are somewhat bad. Many keyservers have died recently
> > > some existing keys like DSA seem to have some affinity to SHA1, and
> > > SHA1 is rejected today while at the same time still default on many
> > > setups, the one documentation i saw today to fix that DSA/SHA1 issue
> > > requires you to have a backup as it breaks your keys and is wrong.
> 
> If there's no good documentation or tutorial for this, then lets not bother
> with it. Your patch should be fine as is.

There may be a good one, its just that i dont know what to link to

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Never trust a computer, one day, it may think you are the virus. -- Compn

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".