Skip to content

make sequoia-git verification model more explicit

In general, how does sequoia-git work? reading the README and the spec, I am found lacking answers to basic questions like:

  • do all commits in a repo need to be signed before being trusted?
  • what about unreachable commits?
  • what about merging commits from a third-party that doesn't sign their commits? is that allowed?
  • how do changes to the configuration file get authenticated?

I am keeping a relatively exhaustive directory of "how to authenticate a git repo" solutions in our gitlab documentation (scroll down in the table of contents to "Git repository integrity solutions" for an index). I'm wondering where sequoia-git fits in that landscape... The list I have so far is:

  • Guix: sign all commits
  • Arista: sign all commits in Gerrit
  • Gerwitz: sign all commits or at least merge commits
  • Torvalds: signed tags
  • Vick: git signatures AKA git notes
  • Walters: extended validation tags
  • Ryabitsev: b4 and patch attestations
  • Ryabitsev: Secure Scuttlebutt
  • Stelzer: ssh signatures
  • Lorenc: sigstore
  • Sirish: gittuf

At first read, I thought sequoia-git is like Guix ("sign all commits"), that all commits must be signed, but then the RFC explicitly says sequoia-git differs from that... So perhaps it's like Gerwitz ("sign all commits or at least merge commits")?

I think the RFC would greatly benefit from some diagrams of git commit graphs, some commits with signatures, some without, or with invalid keys, all that stuff, and show what sequoia-git would say about the different scenarios.

It would be also pretty neat we could have a comparison to the other models (especially gittuf/sigstore) either in the RFC or README, as I suspect I'm not the only one that thinks "wait, why not use X instead" or "I already have this shell script that runs as a git hook, why do i need this?"...

It would also help if the README would spell out what this command does:

sq-git update-hook --trust-root=<COMMIT> "$@"

Same with CI: right now, we seem to be supposed to just read the source code for the container or update-hook to figure out what exactly those things are going to do...

I really want to like this project, but right now I have too many questions to just jump in directly.

Edited by Antoine Beaupré