So as an exercise im trying to figure out how to locally verify a git commit signature.
As an example I am using https://github.com/ethereum/go-ethereum/commit/0a68558e7e025afebf67b81bf48ecb8b0fa7c06d.
The public key for this sig is https://github.com/web-flow.gpg.
When I run the following
git verify-commit 0a68558e7e025afebf67b81bf48ecb8b0fa7c06d
The result I get is that it is valid commit.
However I want to figure out a way to write a script to do this.
I have defined two files
commit.txt
commit 0a68558e7e025afebf67b81bf48ecb8b0fa7c06d
Author: Péter Szilágyi <peterke@gmail.com>
Date: Fri Aug 13 15:39:51 2021 +0300
accounts/external: handle 0 chainid as not-set for the Clef API (#23394)
* accounts/external: handle 0 chainid as not-set for the Clef API
* accounts/external: document SignTx
Co-authored-by: Felix Lange <fjl@twurst.com>
And using git cat-file -p <commit-hash> I get the signature and store it in a file doc.sig
-----BEGIN PGP SIGNATURE-----
wsBcBAABCAAQBQJhFmgXCRBK7hj4Ov3rIwAAkpoIACFP0wLY/5WA3rHgrU2s/6lT
DdTOK7HNnh00bJIEplGoVvMWku0mAHAgp8t+oerhQlwHC8quBIxo9ozzz7UBj0Aa
3VjFSBXnX5KCkW8kY8ZxT4xnuXgFJ/O5z59qSh+3S1Lt/B6c2ERP+3T6oylR+LMt
/Icr901l24kRKNOkjM6cM5jDGVpD+7CLQQKmwcq8A5Ee14EF+H2+/XaFJmilYhfL
r/BY4aPvQDP18vhwTKOVTpVzGmjLn/i0OU6kAfcY2LSzhfSJ0rlenQ0JQE4kK9KM
dh1E8WvySYOh7WD9iKkNPP2VbXuPoNaVQIwkJ06kab8edvKw1qQsWpogMtKlQAI=
=qe4m
-----END PGP SIGNATURE-----
However when I run
gpg verify doc.sig commit.txt
I get the following
gpg: Signature made Fri Aug 13 05:39:51 2021 PDT
gpg: using RSA key 4AEE18F83AFDEB23
gpg: BAD signature from "GitHub (web-flow commit signing) <noreply@github.com>" [unknown]
I get a similar result when trying to run verify the signature via openpgpjs script https://github.com/openpgpjs/openpgpjs
Anyone have an idea as to what i might be doing wrong.
The output you're seeing from git log is not the actual commit data. To see the actual commit data, run git cat-file commit OID:
tree d51ae01e7bd033c28b98e2e70fb5920cd5fe269f
parent fd604becbb952cc46111a77ea4e5b76b4617fa49
author Péter Szilágyi <peterke@gmail.com> 1628858391 +0300
committer GitHub <noreply@github.com> 1628858391 +0300
gpgsig -----BEGIN PGP SIGNATURE-----
wsBcBAABCAAQBQJhFmgXCRBK7hj4Ov3rIwAAkpoIACFP0wLY/5WA3rHgrU2s/6lT
DdTOK7HNnh00bJIEplGoVvMWku0mAHAgp8t+oerhQlwHC8quBIxo9ozzz7UBj0Aa
3VjFSBXnX5KCkW8kY8ZxT4xnuXgFJ/O5z59qSh+3S1Lt/B6c2ERP+3T6oylR+LMt
/Icr901l24kRKNOkjM6cM5jDGVpD+7CLQQKmwcq8A5Ee14EF+H2+/XaFJmilYhfL
r/BY4aPvQDP18vhwTKOVTpVzGmjLn/i0OU6kAfcY2LSzhfSJ0rlenQ0JQE4kK9KM
dh1E8WvySYOh7WD9iKkNPP2VbXuPoNaVQIwkJ06kab8edvKw1qQsWpogMtKlQAI=
=qe4m
-----END PGP SIGNATURE-----
accounts/external: handle 0 chainid as not-set for the Clef API (#23394)
* accounts/external: handle 0 chainid as not-set for the Clef API
* accounts/external: document SignTx
Co-authored-by: Felix Lange <fjl@twurst.com>
Note that the commit does not end with a newline here.
You remove the gpgsig header (or gpgsig-sha256 header) and its trailing lines altogether, and that is the data over which the signature is made:
tree d51ae01e7bd033c28b98e2e70fb5920cd5fe269f
parent fd604becbb952cc46111a77ea4e5b76b4617fa49
author Péter Szilágyi <peterke@gmail.com> 1628858391 +0300
committer GitHub <noreply@github.com> 1628858391 +0300
accounts/external: handle 0 chainid as not-set for the Clef API (#23394)
* accounts/external: handle 0 chainid as not-set for the Clef API
* accounts/external: document SignTx
Co-authored-by: Felix Lange <fjl@twurst.com>
The signature is the data in the gpgsig header, or, for SHA-256 repositories, the gpgsig-sha256 header.
You shouldn't copy and paste this data, since the exact data is required for the signature to match. Instead, you can do this:
$ git cat-file commit HEAD | sed -e'/^gpgsig/d; /^ /d' >commit
$ git cat-file commit HEAD | sed -ne'/^gpgsig/,/---END/s/^[a-z]* //p' >sig
$ gpg --verify sig commit