By using cryptographic signing of commits, it is possible to verify the true identity of the committer. Revisions can be signed automatically at the time they are committed, or later manually. Signed commits are verified automatically when viewing the logs, or can be verified manually.
There are a few things to prepare in order to use signatures with Bazaar:
- Your digital signature key for signing
- The GnuPG tool to work with signatures
- The
gpgmePython module for working with GnuPG - The Bazaar configuration to use signatures with Bazaar commands
Getting a digital signature key for signing is beyond the scope of this book. Please refer to the following article for more information:
https://help.launchpad.net/YourAccount/ImportingYourPGPKey
Note
GnuPG stands for GNU Privacy Guard. It is a free software alternative to the PGP suite of cryptographic software. For more information, see the project's homepage at http://www.gnupg.org/.
By default, Bazaar uses the signing key that matches your identity as configured by the bzr whoami command or the
email configuration in your ~/.bazaar/bazaar.conf file. To use a different signing key, add a configuration entry as follows:
gpg_signing_key = 12345678
You can add this configuration either in ~/.bazaar/branch.conf to be effective globally in all your projects, or in the .bzr/branch/branch.conf file of a branch to limit its use within that branch.
The value of the signing key comes from the pub line in the output of gpg --list-keys. For example:
$ gpg --list-keys /home/janos/.gnupg/pubring.gpg ------------------------------- pub 2048R/12345678 2012-06-24 uid Janos Gyerik <[email protected]> sub 2048R/23456789 2012-06-24
Let's create a new shared repository to test the signing revisions:
$ bzr init-repo /sandbox/signing Shared repository with trees (format: 2a) Location: shared repository: /sandbox/signing $ cd /sandbox/signing
Next, let's grab a sample branch with several committers:
$ bzr branch lp:~bzrbook/bzrbook-examples/unsigned --standalone --no-tree Branched 3 revisions.
Verifying signatures will help in our examples to understand first how to verify signatures by using the
bzr verify-signatures command:
$ bzr verify-signatures unsigned/ 0 commits with valid signatures 0 commits with key now expired 0 commits with unknown keys 0 commits not valid 3 commits not signed
Since we didn't specify the revisions, this verified all the commits in the branch. You can specify revisions by using the -r flag as usual, for example, to verify only the latest revision:
$ bzr verify-signatures unsigned/ -rlast:1 0 commits with valid signatures 0 commits with key now expired 0 commits with unknown keys 0 commits not valid 1 commit not signed
As the output suggests, in addition to checking whether a commit is signed or not signed, the command also checks for expiration, validity, and whether the key has been imported into your key ring or not.
First, let's create a test branch to work on:
$ bzr branch unsigned/ signed Branched 3 revisions.
You can sign the existing revisions by using the bzr sign-my-commits command:
$ bzr sign-my-commits signed/ Signed 0 revisions
As the name of the command suggests, by default, it signs only the revisions committed by you; that is, revisions that match the value of your email configuration or the output of the bzr whoami command. To sign the revisions by other committers, you must specify the name of the committer as it appears in bzr log. For example:
$ bzr log signed/ | grep committer committer: Anna <[email protected]> committer: [email protected] committer: [email protected] $ bzr sign-my-commits signed/ 'Anna <[email protected]>' [email protected] You need a passphrase to unlock the secret key for user: "Janos Gyerik <[email protected]>" 2048-bit RSA key, ID 12345678, created 2012-06-24 Signed 1 revisions
The preceding steps sign all the commits whose committer information matches precisely the one given on the command line. In this step, you must enter the passphrase of your signing key, unless you have already stored in memory by using gpg-agent or a similar key manager. You can confirm that the commit is now signed correctly by re-running the bzr verify-signatures command:
$ bzr verify-signatures signed/ -rlast:1 All commits signed with verifiable keys
To see more details about the signature, take a look at the revision by using bzr log, and specify the --signatures flag:
$ bzr log signed/ --signatures -rlast:1 ------------------------------------------------------------ revno: 3 committer: Anna <[email protected]> branch nick: unsigned timestamp: Tue 2012-11-06 21:50:46 +0100 signature: valid signature from Janos Gyerik <[email protected]> message: added shell implementation
Bazaar Explorer also shows the signature details when viewing the revision logs.
bzr sign-my-commits has some limitations:
- It cannot sign commits of specific revisions; only of specific committers
- It cannot sign commits that already have a signature
There is a hidden command bzr re-sign, which can be used to sign a range of commits or commits that already have a signature:
$ bzr re-sign -rlast:2..last:1 -d signed/ You need a passphrase to unlock the secret key for user: "Janos Gyerik <[email protected]>" 2048-bit RSA key, ID 12345678, created 2012-06-24 You need a passphrase to unlock the secret key for user: "Janos Gyerik <[email protected]>" 2048-bit RSA key, ID 12345678, created 2012-06-24
Although this works, you must enter your passphrase for each revision to sign.
In order to sign all your new commits automatically, you need to add the following configuration:
create_signatures = always
You can either add this configuration in the [DEFAULT] section of the global configuration file ~/.bazaar/bazaar.conf, or in a branch configuration file .bzr/branch/branch.conf. An easy way to set or reset this configuration is by using the bzr config command.
Use the following command to set and reset the configuration in the current branch:
$ bzr config create_signatures=always $ bzr config create_signatures --remove
Use the following command to set and reset the configuration globally for all your commits:
$ bzr config create_signatures=always --scope=bazaar $ bzr config create_signatures --remove --scope=bazaar
The only currently supported value for the configuration is always; other possible values may be added in the future. For more details, see the create_signatures section in bzr help configuration.
When this configuration is enabled, commit operations can only succeed after the revision is signed. If the signing fails for some reason, for example, if the entered passphrase is incorrect, then the commit itself will fail too:
$ bzr init temp Created a repository branch (format: 2a) Using shared repository: /sandbox/signing/ $ cd temp/ $ date > date.txt $ bzr add adding date.txt $ bzr commit -m 'just a test' Committing to: /sandbox/signing/temp/ added date.txt You need a passphrase to unlock the secret key for user: "Janos Gyerik <[email protected]>" 2048-bit RSA key, ID 12345678, created 2012-06-24 gpg: gpg-agent is not available in this session Enter passphrase: gpg: Interrupt caught ... exiting bzr: interrupted $ bzr status added: date.txt