[FFmpeg-devel] [RFC] git and signing commits and tags

[FFmpeg-devel] [RFC] git and signing commits and tags

[Michael Niedermayer]

Given the recent server issues, i wonder if we should suggest/recommand
and document signing commits and tags

i tried to push such commit to github and it nicely says "verified"
https://github.com/michaelni/FFmpeg/commit/75f196acd16fb0c0ca7a94f0c66072e7c6f736bf

Ive generated a new gpg key for this experiment as i dont have my
main key on the box used for git development and also using more
modern eliptic curve stuff (smaller keys & sigs)
i will upload this key to the keyservers in case it becomes the
one i use for git.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEYvA3sxYJKwYBBAHaRw8BAQdAhF26S5QlUZssryHGHLYw61FsF+0s54qWEDm1
Rurfi5O0ME1pY2hhZWwgTmllZGVybWF5ZXIgPG1pY2hhZWwtZ2l0QG5pZWRlcm1h
eWVyLmNjPoiWBBMWCAA+FiEE3R7J6N4IXGKbPhhGsY6JKLOUjWQFAmLwN7MCGwMF
CQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQsY6JKLOUjWTKMwD8DW39
MrtvYdjP/CvxWTma+MErgkFfrx67y+zO0r6vYmYA/063Y7s6+ef0Whydf5xlJLYF
nX3ZwXnZubVsjJz0WV0EuDgEYvA3sxIKKwYBBAGXVQEFAQEHQD381bpdRfPa3DjW
WFQx1IeRgeSavPep1v4C2noShjcTAwEIB4h4BBgWCAAgFiEE3R7J6N4IXGKbPhhG
sY6JKLOUjWQFAmLwN7MCGwwACgkQsY6JKLOUjWRryQEA+nEGWw5ygbiYpSe34erz
opoxh+iIUdzl+OnyU2fpNVsA/A91nhyyR8eMlAptr16FVoEnZBHtcK2cTcGxqkdL
JMkG
=D6v5
-----END PGP PUBLIC KEY BLOCK-----



_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 1/2] MAINTAINERS: Add ED25519 key for tag/commit signing experiment

[Michael Niedermayer]

From: Michael Niedermayer <michael-git@niedermayer.cc>

Signed-off-by: Michael Niedermayer <michael-git@niedermayer.cc>
---
 MAINTAINERS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index 7ed15f96f6..ed2ec0b90c 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -626,6 +626,7 @@ Leo Izen (thebombzen)         B6FD 3CFC 7ACF 83FC 9137 6945 5A71 C331 FD2F A19A
 Loren Merritt                 ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE
 Lynne                         FE50 139C 6805 72CA FD52 1F8D A2FE A5F0 3F03 4464
 Michael Niedermayer           9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB
+                              DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64
 Nicolas George                24CE 01CE 9ACC 5CEB 74D8 8D9D B063 D997 36E5 4C93
 Niklas Haas (haasn)           1DDB 8076 B14D 5B48 32FC 99D9 EB52 DA9C 02BA 6FB4
 Nikolay Aleksandrov           8978 1D8C FB71 588E 4B27 EAA8 C4F0 B5FC E011 13B1
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/2] doc/git-howto.texi: Document commit signing

[Michael Niedermayer]

From: Michael Niedermayer <michael-git@niedermayer.cc>

---
 doc/git-howto.texi | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/doc/git-howto.texi b/doc/git-howto.texi
index 874afabbbc..9c74199495 100644
--- a/doc/git-howto.texi
+++ b/doc/git-howto.texi
@@ -187,11 +187,18 @@ to make sure you don't have untracked files or deletions.
 git add [-i|-p|-A] <filenames/dirnames>
 @end example
 
-Make sure you have told Git your name and email address
+Make sure you have told Git your name, email address and GPG key
 
 @example
 git config --global user.name "My Name"
 git config --global user.email my@@email.invalid
+git config --global user.signingkey ABCDEF0123245
+@end example
+
+Enable signing all commits or use -S
+
+@example
+git config --global commit.gpgsign true
 @end example
 
 Use @option{--global} to set the global configuration for all your Git checkouts.
@@ -423,6 +430,18 @@ git checkout -b svn_23456 $SHA1
 where @var{$SHA1} is the commit hash from the @command{git log} output.
 
 
+@chapter gpg key generation
+
+If you have no gpg key yet, we recommand that you create a ed25519 based key as it
+is small, fast and secure. Especially it results in small signatures in git.
+
+@example
+gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr" --quick-generate-key "human@server.com"
+@end example
+
+When genarting a key, make sure the email specified matches the email used in git as some sites like
+github consider mismatches a reason to declare such commits unverified.
+
 @chapter Pre-push checklist
 
 Once you have a set of commits that you feel are ready for pushing,
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [RFC] git and signing commits and tags

[James Almer]

On 8/8/2022 11:50 AM, Michael Niedermayer wrote:
> Given the recent server issues, i wonder if we should suggest/recommand
> and document signing commits and tags

fwiw, the git repo isn't hosted in the server that had issues.

> 
> i tried to push such commit to github and it nicely says "verified"
> https://github.com/michaelni/FFmpeg/commit/75f196acd16fb0c0ca7a94f0c66072e7c6f736bf
> 
> Ive generated a new gpg key for this experiment as i dont have my
> main key on the box used for git development and also using more
> modern eliptic curve stuff (smaller keys & sigs)
> i will upload this key to the keyservers in case it becomes the
> one i use for git.

I agree 100% we should sign release tags, and not only the tarballs.
Telling people to sign random commits isn't as useful, but if people 
want to do it then that's fine too.

> 
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> 
> mDMEYvA3sxYJKwYBBAHaRw8BAQdAhF26S5QlUZssryHGHLYw61FsF+0s54qWEDm1
> Rurfi5O0ME1pY2hhZWwgTmllZGVybWF5ZXIgPG1pY2hhZWwtZ2l0QG5pZWRlcm1h
> eWVyLmNjPoiWBBMWCAA+FiEE3R7J6N4IXGKbPhhGsY6JKLOUjWQFAmLwN7MCGwMF
> CQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQsY6JKLOUjWTKMwD8DW39
> MrtvYdjP/CvxWTma+MErgkFfrx67y+zO0r6vYmYA/063Y7s6+ef0Whydf5xlJLYF
> nX3ZwXnZubVsjJz0WV0EuDgEYvA3sxIKKwYBBAGXVQEFAQEHQD381bpdRfPa3DjW
> WFQx1IeRgeSavPep1v4C2noShjcTAwEIB4h4BBgWCAAgFiEE3R7J6N4IXGKbPhhG
> sY6JKLOUjWQFAmLwN7MCGwwACgkQsY6JKLOUjWRryQEA+nEGWw5ygbiYpSe34erz
> opoxh+iIUdzl+OnyU2fpNVsA/A91nhyyR8eMlAptr16FVoEnZBHtcK2cTcGxqkdL
> JMkG
> =D6v5
> -----END PGP PUBLIC KEY BLOCK-----
> 
> 
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/2] MAINTAINERS: Add ED25519 key for tag/commit signing experiment

[James Almer]

On 8/8/2022 11:50 AM, Michael Niedermayer wrote:
> From: Michael Niedermayer <michael-git@niedermayer.cc>
> 
> Signed-off-by: Michael Niedermayer <michael-git@niedermayer.cc>
> ---
>   MAINTAINERS | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 7ed15f96f6..ed2ec0b90c 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -626,6 +626,7 @@ Leo Izen (thebombzen)         B6FD 3CFC 7ACF 83FC 9137 6945 5A71 C331 FD2F A19A
>   Loren Merritt                 ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE
>   Lynne                         FE50 139C 6805 72CA FD52 1F8D A2FE A5F0 3F03 4464
>   Michael Niedermayer           9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB
> +                              DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64

There is a "FFmpeg release signing key" key already, used for the 
tarballs, and which you obviously have access to. Can we not use it for 
the release tags too, instead of a new key to your name? It would 
probably require creating the git tags using the ffmpeg-devel@ffmpeg.org 
email.

This new key of yours could be used for your commits, but for the 
release tags, if possible better use the same key the relevant tarball 
will also use, IMO. It will simplify package managers that already fetch 
tarballs to also fetch git tags as fallback and not require the use of a 
different key for verification.

>   Nicolas George                24CE 01CE 9ACC 5CEB 74D8 8D9D B063 D997 36E5 4C93
>   Niklas Haas (haasn)           1DDB 8076 B14D 5B48 32FC 99D9 EB52 DA9C 02BA 6FB4
>   Nikolay Aleksandrov           8978 1D8C FB71 588E 4B27 EAA8 C4F0 B5FC E011 13B1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/2] MAINTAINERS: Add ED25519 key for tag/commit signing experiment

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2642 bytes --]

On Mon, Aug 08, 2022 at 12:16:36PM -0300, James Almer wrote:
> On 8/8/2022 11:50 AM, Michael Niedermayer wrote:
> > From: Michael Niedermayer <michael-git@niedermayer.cc>
> > 
> > Signed-off-by: Michael Niedermayer <michael-git@niedermayer.cc>
> > ---
> >   MAINTAINERS | 1 +
> >   1 file changed, 1 insertion(+)
> > 
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > index 7ed15f96f6..ed2ec0b90c 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -626,6 +626,7 @@ Leo Izen (thebombzen)         B6FD 3CFC 7ACF 83FC 9137 6945 5A71 C331 FD2F A19A
> >   Loren Merritt                 ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE
> >   Lynne                         FE50 139C 6805 72CA FD52 1F8D A2FE A5F0 3F03 4464
> >   Michael Niedermayer           9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB
> > +                              DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64
> 
> There is a "FFmpeg release signing key" key already, used for the tarballs,
> and which you obviously have access to. Can we not use it for the release
> tags too, instead of a new key to your name? 

possible


> It would probably require
> creating the git tags using the ffmpeg-devel@ffmpeg.org email.

If the goal is to get a "verified" sticker on github i think that would require
an account on github too that has a gpg key and email of ffmpeg-devel@ffmpeg.org
iam not sure about the security implications if a github account uses a
public mailing list on a secondary email address


> 
> This new key of yours could be used for your commits, but for the release
> tags, if possible better use the same key the relevant tarball will also
> use, IMO. It will simplify package managers that already fetch tarballs to
> also fetch git tags as fallback and not require the use of a different key
> for verification.
> 
> >   Nicolas George                24CE 01CE 9ACC 5CEB 74D8 8D9D B063 D997 36E5 4C93
> >   Niklas Haas (haasn)           1DDB 8076 B14D 5B48 32FC 99D9 EB52 DA9C 02BA 6FB4
> >   Nikolay Aleksandrov           8978 1D8C FB71 588E 4B27 EAA8 C4F0 B5FC E011 13B1
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
> 

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

In fact, the RIAA has been known to suggest that students drop out
of college or go to community college in order to be able to afford
settlements. -- The RIAA

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [RFC] git and signing commits and tags

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 981 bytes --]

On Mon, Aug 08, 2022 at 12:02:39PM -0300, James Almer wrote:
> On 8/8/2022 11:50 AM, Michael Niedermayer wrote:
> > Given the recent server issues, i wonder if we should suggest/recommand
> > and document signing commits and tags
> 
> fwiw, the git repo isn't hosted in the server that had issues.

the developer git, no but the public facing git is
we have to host the public git because of https.
videolan cant host a https://  git on a .ffmpeg.org because they
do not have the ffmpeg.org SSL certificate

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Modern terrorism, a quick summary: Need oil, start war with country that
has oil, kill hundread thousand in war. Let country fall into chaos,
be surprised about raise of fundamantalists. Drop more bombs, kill more
people, be surprised about them taking revenge and drop even more bombs
and strip your own citizens of their rights and freedoms. to be continued

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [RFC] git and signing commits and tags

[Lynne]

Aug 8, 2022, 16:50 by michael@niedermayer.cc:

> Given the recent server issues, i wonder if we should suggest/recommand
> and document signing commits and tags
>
> i tried to push such commit to github and it nicely says "verified"
> https://github.com/michaelni/FFmpeg/commit/75f196acd16fb0c0ca7a94f0c66072e7c6f736bf
>
> Ive generated a new gpg key for this experiment as i dont have my
> main key on the box used for git development and also using more
> modern eliptic curve stuff (smaller keys & sigs)
> i will upload this key to the keyservers in case it becomes the
> one i use for git.
>

I sign all of my commits, I think it should be recommended but
not required.

One downside is that you can sign commits from others with your
own key (for instance when pushing a patch from someone along
with your commits, and signing all at once via rebase), which can be
misleading, so it takes some work to reorder commits or push them
in stages so this doesn't happen. It makes sense that it's the
committer who's signing it, but git or github don't make a distinction
when it comes to signing.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [RFC] git and signing commits and tags

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1766 bytes --]

On Mon, Aug 08, 2022 at 09:26:52PM +0200, Lynne wrote:
> Aug 8, 2022, 16:50 by michael@niedermayer.cc:
> 
> > Given the recent server issues, i wonder if we should suggest/recommand
> > and document signing commits and tags
> >
> > i tried to push such commit to github and it nicely says "verified"
> > https://github.com/michaelni/FFmpeg/commit/75f196acd16fb0c0ca7a94f0c66072e7c6f736bf
> >
> > Ive generated a new gpg key for this experiment as i dont have my
> > main key on the box used for git development and also using more
> > modern eliptic curve stuff (smaller keys & sigs)
> > i will upload this key to the keyservers in case it becomes the
> > one i use for git.
> >
> 
> I sign all of my commits, 

I didnt notice, but thats good as it also proofs it works with no ill
sideeffects

Where can i find your public key ? it seems its not on the keyservers i checked


> I think it should be recommended but
> not required.

yes, for now, thats certainly the right path. In the future
this should maybe be reevaluated


> 
> One downside is that you can sign commits from others with your
> own key (for instance when pushing a patch from someone along
> with your commits, and signing all at once via rebase), which can be
> misleading, so it takes some work to reorder commits or push them
> in stages so this doesn't happen. It makes sense that it's the
> committer who's signing it, but git or github don't make a distinction
> when it comes to signing.

I dont see much harm if other commits are signed too. 

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I do not agree with what you have to say, but I'll defend to the death your
right to say it. -- Voltaire

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [RFC] git and signing commits and tags

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1782 bytes --]

On Tue, Aug 09, 2022 at 12:36:53AM +0200, Michael Niedermayer wrote:
> On Mon, Aug 08, 2022 at 09:26:52PM +0200, Lynne wrote:
> > Aug 8, 2022, 16:50 by michael@niedermayer.cc:
> > 
> > > Given the recent server issues, i wonder if we should suggest/recommand
> > > and document signing commits and tags
> > >
> > > i tried to push such commit to github and it nicely says "verified"
> > > https://github.com/michaelni/FFmpeg/commit/75f196acd16fb0c0ca7a94f0c66072e7c6f736bf
> > >
> > > Ive generated a new gpg key for this experiment as i dont have my
> > > main key on the box used for git development and also using more
> > > modern eliptic curve stuff (smaller keys & sigs)
> > > i will upload this key to the keyservers in case it becomes the
> > > one i use for git.
> > >
> > 
> > I sign all of my commits, 
> 
> I didnt notice, but thats good as it also proofs it works with no ill
> sideeffects
> 
> Where can i find your public key ? it seems its not on the keyservers i checked

Your key seems only on openpgp.org but that strips userids unless the owner approves it 
(i presume for GDPR) making the key not work

gpg --keyserver hkps://keys.openpgp.org --recv-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
gpg: key A2FEA5F03F034464: no user ID
gpg: Total number processed: 1

gpg --list-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
gpg: error reading key: No public key

gpg --recv-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
gpg: keyserver receive failed: No data


[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Homeopathy is like voting while filling the ballot out with transparent ink.
Sometimes the outcome one wanted occurs. Rarely its worse than filling out
a ballot properly.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [RFC] git and signing commits and tags

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1915 bytes --]

On Tue, Aug 09, 2022 at 12:59:52PM +0200, Michael Niedermayer wrote:
> On Tue, Aug 09, 2022 at 12:36:53AM +0200, Michael Niedermayer wrote:
> > On Mon, Aug 08, 2022 at 09:26:52PM +0200, Lynne wrote:
> > > Aug 8, 2022, 16:50 by michael@niedermayer.cc:
> > > 
> > > > Given the recent server issues, i wonder if we should suggest/recommand
> > > > and document signing commits and tags
> > > >
> > > > i tried to push such commit to github and it nicely says "verified"
> > > > https://github.com/michaelni/FFmpeg/commit/75f196acd16fb0c0ca7a94f0c66072e7c6f736bf
> > > >
> > > > Ive generated a new gpg key for this experiment as i dont have my
> > > > main key on the box used for git development and also using more
> > > > modern eliptic curve stuff (smaller keys & sigs)
> > > > i will upload this key to the keyservers in case it becomes the
> > > > one i use for git.
> > > >
> > > 
> > > I sign all of my commits, 
> > 
> > I didnt notice, but thats good as it also proofs it works with no ill
> > sideeffects
> > 
> > Where can i find your public key ? it seems its not on the keyservers i checked
> 
> Your key seems only on openpgp.org but that strips userids unless the owner approves it 
> (i presume for GDPR) making the key not work
> 
> gpg --keyserver hkps://keys.openpgp.org --recv-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
> gpg: key A2FEA5F03F034464: no user ID
> gpg: Total number processed: 1
> 
> gpg --list-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
> gpg: error reading key: No public key
> 
> gpg --recv-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
> gpg: keyserver receive failed: No data

found your key with google here:
https://lynne.ee/extra/A2FEA5F03F034464.asc

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

There will always be a question for which you do not know the correct answer.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [RFC] git and signing commits and tags

[Gerion Entrup]

[-- Attachment #1.1: Type: text/plain, Size: 2730 bytes --]

Hi,

Am Montag, 8. August 2022, 21:26:52 CEST schrieb Lynne:
> Aug 8, 2022, 16:50 by michael@niedermayer.cc:
> 
> > Given the recent server issues, i wonder if we should suggest/recommand
> > and document signing commits and tags
> >
> > i tried to push such commit to github and it nicely says "verified"
> > https://github.com/michaelni/FFmpeg/commit/75f196acd16fb0c0ca7a94f0c66072e7c6f736bf
> >
> > Ive generated a new gpg key for this experiment as i dont have my
> > main key on the box used for git development and also using more
> > modern eliptic curve stuff (smaller keys & sigs)
> > i will upload this key to the keyservers in case it becomes the
> > one i use for git.
> >
> 
> I sign all of my commits, I think it should be recommended but
> not required.
> 
> One downside is that you can sign commits from others with your
> own key (for instance when pushing a patch from someone along
> with your commits, and signing all at once via rebase), which can be
> misleading, so it takes some work to reorder commits or push them
> in stages so this doesn't happen. It makes sense that it's the
> committer who's signing it, but git or github don't make a distinction
> when it comes to signing.

Since Git is kind of a blockchain (it includes the hash of the predecessor
commits) you technically sign the entire tree anyways not just the
individual commit. Especially in a rebase, the original author signs the
original commit hash (which changes in a rebase), so it is not possible
to use the same signature again.
But I understand that a direct mapping between author and singing person
would be nice.

For releases, I think that the attacker model is important. The typical
scenario is that one clones the repository, than checkouts a tag and
compiles FFmpeg. For that one wants to know that the code is not
manipulated by a third party (a person not trusted by the FFmpeg project).
If the last commit is signed then, the user know that they can trust
the entire code.
If they checkout a random commit that is not signed, they cannot be sure
that the set of changes up to the next signed commit of an FFmpeg author
comes from a person trusted by FFmpeg.
But for that it doesn't matter which of the devs has signed the commit.
So I think for end users a signed release commit is most valuable,
individual commits are valuable, too, and it's important that the
signature must always come from a person trusted by the FFmpeg project.

Best,
Gerion

> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
> 


[-- Attachment #1.2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [RFC] git and signing commits and tags

[Lynne]

Aug 9, 2022, 13:02 by michael@niedermayer.cc:

> On Tue, Aug 09, 2022 at 12:59:52PM +0200, Michael Niedermayer wrote:
>
>> On Tue, Aug 09, 2022 at 12:36:53AM +0200, Michael Niedermayer wrote:
>> > On Mon, Aug 08, 2022 at 09:26:52PM +0200, Lynne wrote:
>> > > Aug 8, 2022, 16:50 by michael@niedermayer.cc:
>> > > 
>> > > > Given the recent server issues, i wonder if we should suggest/recommand
>> > > > and document signing commits and tags
>> > > >
>> > > > i tried to push such commit to github and it nicely says "verified"
>> > > > https://github.com/michaelni/FFmpeg/commit/75f196acd16fb0c0ca7a94f0c66072e7c6f736bf
>> > > >
>> > > > Ive generated a new gpg key for this experiment as i dont have my
>> > > > main key on the box used for git development and also using more
>> > > > modern eliptic curve stuff (smaller keys & sigs)
>> > > > i will upload this key to the keyservers in case it becomes the
>> > > > one i use for git.
>> > > >
>> > > 
>> > > I sign all of my commits, 
>> > 
>> > I didnt notice, but thats good as it also proofs it works with no ill
>> > sideeffects
>> > 
>> > Where can i find your public key ? it seems its not on the keyservers i checked
>>
>> Your key seems only on openpgp.org but that strips userids unless the owner approves it 
>> (i presume for GDPR) making the key not work
>>
>> gpg --keyserver hkps://keys.openpgp.org --recv-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
>> gpg: key A2FEA5F03F034464: no user ID
>> gpg: Total number processed: 1
>>
>> gpg --list-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
>> gpg: error reading key: No public key
>>
>> gpg --recv-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
>> gpg: keyserver receive failed: No data
>>
>
> found your key with google here:
> https://lynne.ee/extra/A2FEA5F03F034464.asc
>

I just pushed it to keyserver.ubuntu.com, the only still working server
I found, surprisingly. Seems a few months ago sks (a protocol/sever?
to share keys between servers) was deprecated and most servers went
down, and the GDPR also took some out. Sad. There's some work done
to make a new protocol/server apparently.
I'm very sure I pushed my key to the MIT server back when I made it in 2019,
but that server also seems like it's forgotten my key and not accepting it.

I once imported all maintainer keys listed in MAINTAINERS and found many
were revoked (I think compn's), while some used triple DES. The oldest key
I found for a maintainer is actually Nicolas George's key, a triple DES from 2001!
Maybe we should clean up the list of keys.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [RFC] git and signing commits and tags

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 3682 bytes --]

On Tue, Aug 09, 2022 at 07:50:13PM +0200, Lynne wrote:
> Aug 9, 2022, 13:02 by michael@niedermayer.cc:
> 
> > On Tue, Aug 09, 2022 at 12:59:52PM +0200, Michael Niedermayer wrote:
> >
> >> On Tue, Aug 09, 2022 at 12:36:53AM +0200, Michael Niedermayer wrote:
> >> > On Mon, Aug 08, 2022 at 09:26:52PM +0200, Lynne wrote:
> >> > > Aug 8, 2022, 16:50 by michael@niedermayer.cc:
> >> > > 
> >> > > > Given the recent server issues, i wonder if we should suggest/recommand
> >> > > > and document signing commits and tags
> >> > > >
> >> > > > i tried to push such commit to github and it nicely says "verified"
> >> > > > https://github.com/michaelni/FFmpeg/commit/75f196acd16fb0c0ca7a94f0c66072e7c6f736bf
> >> > > >
> >> > > > Ive generated a new gpg key for this experiment as i dont have my
> >> > > > main key on the box used for git development and also using more
> >> > > > modern eliptic curve stuff (smaller keys & sigs)
> >> > > > i will upload this key to the keyservers in case it becomes the
> >> > > > one i use for git.
> >> > > >
> >> > > 
> >> > > I sign all of my commits, 
> >> > 
> >> > I didnt notice, but thats good as it also proofs it works with no ill
> >> > sideeffects
> >> > 
> >> > Where can i find your public key ? it seems its not on the keyservers i checked
> >>
> >> Your key seems only on openpgp.org but that strips userids unless the owner approves it 
> >> (i presume for GDPR) making the key not work
> >>
> >> gpg --keyserver hkps://keys.openpgp.org --recv-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
> >> gpg: key A2FEA5F03F034464: no user ID
> >> gpg: Total number processed: 1
> >>
> >> gpg --list-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
> >> gpg: error reading key: No public key
> >>
> >> gpg --recv-keys FE50139C680572CAFD521F8DA2FEA5F03F034464
> >> gpg: keyserver receive failed: No data
> >>
> >
> > found your key with google here:
> > https://lynne.ee/extra/A2FEA5F03F034464.asc
> >
> 
> I just pushed it to keyserver.ubuntu.com, the only still working server
> I found, surprisingly. Seems a few months ago sks (a protocol/sever?
> to share keys between servers) was deprecated and most servers went
> down, and the GDPR also took some out. Sad. There's some work done
> to make a new protocol/server apparently.
> I'm very sure I pushed my key to the MIT server back when I made it in 2019,
> but that server also seems like it's forgotten my key and not accepting it.

yes, i was also scratching my head yesterday about this keyserver apocalypse
the script below was what i ended up writing but iam not sure its usefull

#!/bin/bash
gpg --keyserver hkps://pgp.mit.edu          --recv-keys $* &
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys $* &
gpg --keyserver hkps://keys.openpgp.org     --recv-keys $* &
gpg --keyserver hkps://keys.gnupg.net       --recv-keys $* &
gpg --keyserver hkps://keyserver.pgp.com    --recv-keys $* &



> 
> I once imported all maintainer keys listed in MAINTAINERS and found many
> were revoked (I think compn's), while some used triple DES. The oldest key
> I found for a maintainer is actually Nicolas George's key, a triple DES from 2001!

> Maybe we should clean up the list of keys.

yes

maybe we also should collect the full public keys and not just the hashes
this list of hashes came from a time where obtaining a key from a hash
was trivial

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Take away the freedom of one citizen and you will be jailed, take away
the freedom of all citizens and you will be congratulated by your peers
in Parliament.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/2] MAINTAINERS: Add ED25519 key for tag/commit signing experiment

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1302 bytes --]

On Mon, Aug 08, 2022 at 04:50:07PM +0200, Michael Niedermayer wrote:
> From: Michael Niedermayer <michael-git@niedermayer.cc>
> 
> Signed-off-by: Michael Niedermayer <michael-git@niedermayer.cc>
> ---
>  MAINTAINERS | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 7ed15f96f6..ed2ec0b90c 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -626,6 +626,7 @@ Leo Izen (thebombzen)         B6FD 3CFC 7ACF 83FC 9137 6945 5A71 C331 FD2F A19A
>  Loren Merritt                 ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE
>  Lynne                         FE50 139C 6805 72CA FD52 1F8D A2FE A5F0 3F03 4464
>  Michael Niedermayer           9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB
> +                              DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64
>  Nicolas George                24CE 01CE 9ACC 5CEB 74D8 8D9D B063 D997 36E5 4C93
>  Niklas Haas (haasn)           1DDB 8076 B14D 5B48 32FC 99D9 EB52 DA9C 02BA 6FB4
>  Nikolay Aleksandrov           8978 1D8C FB71 588E 4B27 EAA8 C4F0 B5FC E011 13B1

will apply this one and attempt to start using it for commits


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

What does censorship reveal? It reveals fear. -- Julian Assange

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/2] MAINTAINERS: Add ED25519 key for tag/commit signing experiment

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2343 bytes --]

On Mon, Aug 08, 2022 at 05:43:15PM +0200, Michael Niedermayer wrote:
> On Mon, Aug 08, 2022 at 12:16:36PM -0300, James Almer wrote:
> > On 8/8/2022 11:50 AM, Michael Niedermayer wrote:
> > > From: Michael Niedermayer <michael-git@niedermayer.cc>
> > > 
> > > Signed-off-by: Michael Niedermayer <michael-git@niedermayer.cc>
> > > ---
> > >   MAINTAINERS | 1 +
> > >   1 file changed, 1 insertion(+)
> > > 
> > > diff --git a/MAINTAINERS b/MAINTAINERS
> > > index 7ed15f96f6..ed2ec0b90c 100644
> > > --- a/MAINTAINERS
> > > +++ b/MAINTAINERS
> > > @@ -626,6 +626,7 @@ Leo Izen (thebombzen)         B6FD 3CFC 7ACF 83FC 9137 6945 5A71 C331 FD2F A19A
> > >   Loren Merritt                 ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE
> > >   Lynne                         FE50 139C 6805 72CA FD52 1F8D A2FE A5F0 3F03 4464
> > >   Michael Niedermayer           9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB
> > > +                              DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64
> > 
> > There is a "FFmpeg release signing key" key already, used for the tarballs,
> > and which you obviously have access to. Can we not use it for the release
> > tags too, instead of a new key to your name? 
> 
> possible
> 
> 
> > It would probably require
> > creating the git tags using the ffmpeg-devel@ffmpeg.org email.
> 
> If the goal is to get a "verified" sticker on github i think that would require
> an account on github too that has a gpg key and email of ffmpeg-devel@ffmpeg.org
> iam not sure about the security implications if a github account uses a
> public mailing list on a secondary email address

also i just noticed that "git tag" seems not to have any option to set the
tagger. I would have to hack the git config to set it to 
ffmpeg-devel@ffmpeg.org, that feels really like iam doing something thats not
supposed to be done. So for 5.1.1 ill stay with the natural thing and just
create the tag, but iam happy to set the tagger and key to anything people
want. Please start a RFC or something if you want so people can discuss
this, i wonder what other projects do ...

thx

[...]



-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Asymptotically faster algorithms should always be preferred if you have
asymptotical amounts of data

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".