Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
stackghost 2 days ago

"Github supports GnuPG signatures" does not contradict the statement "GnuPG is trash". I will not engage further, it's obvious you are not interested in honest discussion of the technical merits.

tapete 2 days ago | parent | next [-]

> I will not engage further, it's obvious you are not interested in honest discussion of the technical merits.

Well you are neither, all you do is throw unobjective flames around ("gnupg is trash") and post various claims about bad security without backing them up, implicitly demanding that other people do the leg work of disproving your accusations against the GNU project.

Are you working for Apple by any chance?

stackghost a day ago | parent [-]

>Are you working for Apple by any chance?

No, my background is in aerospace and I'm currently in grad school planning to pivot into a different field.

CarpaDorada 2 days ago | parent | prev [-]

The issue is mostly with git itself, e.g. take a look at

  git cat-file commit HEAD
to see something like:

  tree <tree-hash>
  parent <parent-hash>
  author <author-name> <author-email> <timestamp>
  committer <committer-name> <committer-email> <timestamp>
  gpgsig -----BEGIN PGP SIGNATURE-----
   
   <ascii-armored RFC9580 signature>
   -----END PGP SIGNATURE-----

  <commit message>
You can view an example of the structure of this ascii-armored signature here <https://cirw.in/gpg-decoder/#-----BEGIN%20PGP%20SIGNATURE---...>.

You can add a patch to git to support more signature types than just OpenPGP. You may then be able to move mountains and get GitHub/others to join in the validation. Finally, if you can find bugs/exploits in GnuPG, you should report them and you will definitely get credit and recognition for them. They are not trivial to find.

fmajid 2 days ago | parent [-]

Git has supported SSH-based signatures for a while now, including those backed by FIDO hardware keys.

CarpaDorada a day ago | parent [-]

FIDO would be for authentication, not signing. It also supports SSH (and X.509, see <https://git-scm.com/docs/gitformat-signature>) but it does not support minisign or signify. There's a git module for signify, <https://leahneukirchen.org/dotfiles/bin/git-signify> but don't count on it being widely supported.