2

So as an exercise im trying to figure out how to locally verify a git commit signature.

As an example I am using https://github.com/ethereum/go-ethereum/commit/0a68558e7e025afebf67b81bf48ecb8b0fa7c06d.

The public key for this sig is https://github.com/web-flow.gpg.

When I run the following

git verify-commit 0a68558e7e025afebf67b81bf48ecb8b0fa7c06d

The result I get is that it is valid commit.

However I want to figure out a way to write a script to do this.

I have defined two files

commit.txt

commit 0a68558e7e025afebf67b81bf48ecb8b0fa7c06d
Author: Péter Szilágyi <[email protected]>
Date:   Fri Aug 13 15:39:51 2021 +0300

accounts/external: handle 0 chainid as not-set for the Clef API (#23394)

* accounts/external: handle 0 chainid as not-set for the Clef API

* accounts/external: document SignTx

Co-authored-by: Felix Lange <[email protected]>

And using git cat-file -p <commit-hash> I get the signature and store it in a file doc.sig

-----BEGIN PGP SIGNATURE-----

wsBcBAABCAAQBQJhFmgXCRBK7hj4Ov3rIwAAkpoIACFP0wLY/5WA3rHgrU2s/6lT
DdTOK7HNnh00bJIEplGoVvMWku0mAHAgp8t+oerhQlwHC8quBIxo9ozzz7UBj0Aa
3VjFSBXnX5KCkW8kY8ZxT4xnuXgFJ/O5z59qSh+3S1Lt/B6c2ERP+3T6oylR+LMt
/Icr901l24kRKNOkjM6cM5jDGVpD+7CLQQKmwcq8A5Ee14EF+H2+/XaFJmilYhfL
r/BY4aPvQDP18vhwTKOVTpVzGmjLn/i0OU6kAfcY2LSzhfSJ0rlenQ0JQE4kK9KM
dh1E8WvySYOh7WD9iKkNPP2VbXuPoNaVQIwkJ06kab8edvKw1qQsWpogMtKlQAI=
=qe4m
-----END PGP SIGNATURE-----

However when I run

gpg verify doc.sig commit.txt

I get the following

gpg: Signature made Fri Aug 13 05:39:51 2021 PDT
gpg:                using RSA key 4AEE18F83AFDEB23
gpg: BAD signature from "GitHub (web-flow commit signing) <[email protected]>" [unknown]

I get a similar result when trying to run verify the signature via openpgpjs script https://github.com/openpgpjs/openpgpjs

Anyone have an idea as to what i might be doing wrong.

Improve this question

1 Answer 1

Reset to default
4

The output you're seeing from git log is not the actual commit data. To see the actual commit data, run git cat-file commit OID:

tree d51ae01e7bd033c28b98e2e70fb5920cd5fe269f
parent fd604becbb952cc46111a77ea4e5b76b4617fa49
author Péter Szilágyi <[email protected]> 1628858391 +0300
committer GitHub <[email protected]> 1628858391 +0300
gpgsig -----BEGIN PGP SIGNATURE-----

 wsBcBAABCAAQBQJhFmgXCRBK7hj4Ov3rIwAAkpoIACFP0wLY/5WA3rHgrU2s/6lT
 DdTOK7HNnh00bJIEplGoVvMWku0mAHAgp8t+oerhQlwHC8quBIxo9ozzz7UBj0Aa
 3VjFSBXnX5KCkW8kY8ZxT4xnuXgFJ/O5z59qSh+3S1Lt/B6c2ERP+3T6oylR+LMt
 /Icr901l24kRKNOkjM6cM5jDGVpD+7CLQQKmwcq8A5Ee14EF+H2+/XaFJmilYhfL
 r/BY4aPvQDP18vhwTKOVTpVzGmjLn/i0OU6kAfcY2LSzhfSJ0rlenQ0JQE4kK9KM
 dh1E8WvySYOh7WD9iKkNPP2VbXuPoNaVQIwkJ06kab8edvKw1qQsWpogMtKlQAI=
 =qe4m
 -----END PGP SIGNATURE-----


accounts/external: handle 0 chainid as not-set for the Clef API (#23394)

* accounts/external: handle 0 chainid as not-set for the Clef API

* accounts/external: document SignTx

Co-authored-by: Felix Lange <[email protected]>

Note that the commit does not end with a newline here.

You remove the gpgsig header (or gpgsig-sha256 header) and its trailing lines altogether, and that is the data over which the signature is made:

tree d51ae01e7bd033c28b98e2e70fb5920cd5fe269f
parent fd604becbb952cc46111a77ea4e5b76b4617fa49
author Péter Szilágyi <[email protected]> 1628858391 +0300
committer GitHub <[email protected]> 1628858391 +0300


accounts/external: handle 0 chainid as not-set for the Clef API (#23394)

* accounts/external: handle 0 chainid as not-set for the Clef API

* accounts/external: document SignTx

Co-authored-by: Felix Lange <[email protected]>

The signature is the data in the gpgsig header, or, for SHA-256 repositories, the gpgsig-sha256 header.

You shouldn't copy and paste this data, since the exact data is required for the signature to match. Instead, you can do this:

$ git cat-file commit HEAD | sed -e'/^gpgsig/d; /^ /d' >commit
$ git cat-file commit HEAD | sed -ne'/^gpgsig/,/---END/s/^[a-z]* //p' >sig
$ gpg --verify sig commit
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

still gives me the same error. Is there anyway to just output the contents of the commit/sig to files sepperatly without relying on copy pasting
I've updated the answer to provide some shell commands to extract the data.
Thanks I have solved the issue now. Also, figured out how to self-sign my commits using a custom key github.com/lemiesz/verify-git-commit

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.