Enable signature support in 'kiss update'.

[dylanaraps]

From now all commits to the kisslinux repositories are signed. This is further enforced by GitHub using branch protections to deny any unsigned commits.

On kiss update a git fetch and git merge --verify-signatures will be done in place of git pull. This only allows a merge of remote changes if

1) commits are signed. 2) commits can be verified.

Signing will also be an opt-in feature to begin. This allows a testing period for existing users with an easy method of reverting back to the current update process.

I'm leaning towards this being the default afterwards though I'm still thinking about it.

---

Hurdles to overcome before this will reach users:

• Issue 1: This can't be implemented for at the very least two weeks. 'git merge --verify-signatures' aborts since there's a mix of signed/unsigned commits so it'll take some time until all present unsigned commits have been pulled by users.

  • Ugly solution: Go back and sign every commit in the repository.
    • Can this be done without destroying the current history?
  • SOLVED, users can opt-in now.
    

• Issue 2: Detecting whether or not the repository should have signatures verified (ie a user repository not signing commits).

  • Possible solution: Check git log --show-signature for the presence of signed commits.
  • SOLVED through the user setting git config merge.verifySignatures true.
    

• Issue 3: Handling the import and trust of the public key.

  • SOLVED through the user manually importing and trusting the key.

Notes:

• gnupg1 can be installed by default in new KISS installs.

  • Requires no additional dependencies (KISS includes them all in the base).
  • Is still fine for use (source).

    • GnuPG 1.4 ("classic") will stay for embedded and server usage, as it brings less dependencies and smaller binaries. Earlier, it was often installed as gpg, today it is more often named gpg1 (depending on distribution).

[dylanaraps]

Was just informed of this tool: https://z3bra.org/sick

Leaving this here as a note.

[dylanaraps]

NOTE: this will also involve signing the kiss-chroot tarballs.

[dylanaraps]

Repository signing is fully functional as of kiss 0.41.1, however it is currently opt-in.

This is an example update (just a single new commit).

-> Updating repositories
-> /var/db/kiss/repo Updating repository
-> /var/db/kiss/repo Need root to update
Commit 41f27e0 has a good GPG signature by Dylan Araps <dylan.araps@gmail.com>
Updating e2c00a9..41f27e0
Fast-forward
 core/kiss/checksums | 2 +-
 core/kiss/sources   | 2 +-
 core/kiss/version   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)
-> Checking for new package versions
-> Everything is up to date

The specific line to look at is:

Commit 41f27e0 has a good GPG signature by Dylan Araps <dylan.araps@gmail.com>

[dylanaraps]

Opting into package signing for the system-wide repository:

NOTE: sudo/root is required to use signing with /var/db/kiss/repo, as root is needed to pull system-wide updates. You can alternatively clone https://github.com/kisslinux/repo somewhere in your $HOME and modify $KISS_PATH to do this solely as a normal user.

NOTE: root is only used during updates to run git fetch, git merge (runs gpg) and to install packages.

1) Run kiss u beforehand and ensure your repositories are up to date.

• This ensures you pull the last of the unsigned commits. 2) Update the package manager to kiss 0.41.2.
• Step #1 should handle this too. 3) Build and install gnupg1.
• kiss b gnupg1 and kiss i gnupg1.
• See my rationale here: https://github.com/repology/repology-rules/issues/285 4) Change user to root.
• su 5) Import my key the keyring.
• gpg --recv-key 46D62DD9F1DE636E. 6) Trust my public key.
• echo "trusted-key 0x46d62dd9f1de636e" >> /root/.gnupg/gpg.conf 7) Go to the system-wide repository.
• cd /var/db/kiss/repo. 8) Enable signature verification.
• git config merge.verifySignatures true.

Use of kiss u will now verify signatures for the system repositories.

[dylanaraps]

[dylanaraps]

This is done.