Archives
/
git-secret
mirror of https://github.com/sobolevn/git-secret
2
1
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
gh-pages
master
sobolevn-patch-5
verbose-test-output-2024
dependabot/docker/dot-ci/release-ci/ubuntu/ubuntu-24.04
dependabot/docker/dot-ci/docker-ci/ubuntu/ubuntu-24.04
dependabot/github_actions/actions/github-script-7
sobolevn-patch-4
test-apk-and-arch
issue-881-towards-new-release
issue-916-disable-arch-tests
issue-135-spaces-in-parent-dirs
issue-918-stat-on-osx
fix-arch-signature-issue
sobolevn-patch-3
sobolevn-patch-2
sobolevn-patch-1
gitignore-grep-improvement
update-changelog
update-bats-to-1.6.0
add-multiple-files-gitignore
automated-verbose-test
passphrase1
test-on-arch
renames1
revert_usage_error_change
alma-tests
issue-765-rocky-linux
issue-755-changelog-for-bats-update
issue-638-dup-emails-test
issue-710-changelog
issue-752-add-directory
issue-710-cat-subdir-bug
v0.5.0
v0.4.0
v0.3.3
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.2
v0.1.1
v0.1.0
prerelease
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.7-alpha
v0.3.0
v0.3.1
v0.3.2
v0.4.0.alpha1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ab3265d4b0'
${ noResults }
git-secret/RFC/RFC001.md

4.5 KiB
Raw Blame History

RFC 0001 A stable and forwards compatible public key storage format

Feature Name: Stable public key storage

Status: Draft (first parts sketched)

Type: Enhancement

Start Date: 2018-06-14

Author: Simon Massey

Related components: Core

GitHub issues:

  • #136 GnuPG2 2.2 vs 2.1 conflicts in keybox format

Summary

A new internal public key storage format that avoids forwards compatibility issues between GPG releases. This proposal will keep forwards compatibility with older versions of git-secret.

Motivation

GPG maintains backwards compatibility but not forwards compatibility. Users typically upgrade GPG but do not downgrade. This means that running a new GPG version will typially update the keyring storage files in a way that is not recognised by older versions of GPG. This is normally not a problem of typicaly GPG usage as users typically only upgrade and do not downgrade. It is a problem for git-secret as the keyring storage is committed to git and shared between users. Some uses can be using an older version of GPG that cannot open the upgraded keyring file.

Approach

git-secret will move away from using the keyring format as shared storage of public keys. Instead it will store public keys as seperate files. The export format is stable and forwards compatibile as it is normal for GPG uses to be running different versions and to exchange keys. Any future bugs that effect git-secret's ability to use the files will also effect typical GPG usage. Such bugs are likely to be fixed by the wider GPG community.

git-secret may need to store and process meta-data about keys to make it efficient to work with keys that are individually stored. It will use the matchine readable "colon listings format" for this purpose.

It is anticipated that bash and gawk will be suffient to be able to impliment and use the new shared key storage format.

Design

The storage format will be:

  1. Keys will be stored in ~/.gitsecret/keys in gpg --armor --export format. The use of ascii armour rather than binary format is to make debugging of key issues easier. The file name of the key will be the "64 bit keyid" (field 5 of the colon listings format) with extension .pub.gpg
  2. Key meta data will be stored alongside the key file in the gpg --keyid-format long --with-colons format. The file name will be the "64 bit keyid" (field 5 of the colon listings format) with extension .gpg.colon
  3. A "keyring cache" will be create at ~/.gitsecret/cache and this folder will be added to .gitignore. At this location a public keyring will be maintained on a per user bases and it won't be shared by users.
  4. A tombestone marker file with file name of the "64 bit keyid" with the extension .killed will be created by git-secret-killperson to mark a user as killed.

The storage format will be used by git-secret-tell as follows:

  1. Scan the set of .gpg.colon to find all currently told identities. If the told identity is in the current list do nothing.
  2. If the told identity isn't listed run gpg --armor --export against the users $HOME keyring. Run --keyid-format long --with-colons of the exported key. The result being two new files <key-id>.pub.gpg and <key-id>.gpg.colon in ~/.gitsecret/keys

The storage format will be used by git-secret-hide as follows:

  1. The list of "64 bit keyid"s who are told will be computed from the .gpg.colon files. This will be checked against the list of "64 bit keyid"s in the "keyring cache" at ~/.gitsecret/cache. Any missing keys are imported into the "keyring cache". It is anticipated that grep and gawk will be suffient to be perform this calculation. The code then runs as normal using the keyring cache.

The storage format will be used by git-secret-killperson as follows:

TBD

The storage format will be used by git-secret-xxx as follows:

TBD

Forwards compatibility with older versions of git-secret will be mantained as follows:

TBD

Drawbacks

To maintain forward compatibility the approach requires the eixsting logic to kept working for a perod of time... TBD

Alternatives

What other designs have been considered? Unknown.

What is the impact of not doing this? Team members are locked out of their secrets broken when one user upgrades. This can go undetected until the victim needs the secrets in a hurry for production support. Bad things then happen.

Unresolved questions

What parts of the design are still to be done? See TBD points above.