Discuss and implement PGP support.

[dpc]

I am a heavy GPG user, and I belive it's a PITA for a mass audience. But it's almost the only game in town for hardware keys support, so security-minded people will probably want to use that.

GPG support is not implemented, but can be added at later time.

The identity would look like this:

from:
  id-type: pgp
  id:  4488680DA3CF5F2B4756ED873D23EC2392F2EDE7
  url: "https:/someuser/crev-proofs"

The exported public key will be embedded into git repo somewhere.The pgp WoT won't be involved at all here: just 1:1 match between the ID and gpg identity to use to check the signatures against.

Also, review timestamp should be checked to within time of life of a PGP identity.

When the PGP key goes out of life, the author will just create a new one, and set the trust to the old one as high.

It should be fairly straightforward to add, but it is not high on my personal priority list.

[stevenroose]

I think it makes sense to reuse existing key infrastructure like PGP yes. Though trusting a PGP identity should of course not be equal to trusting his code reviews ;)

[dpc]

@stevenroose Yes. GPG's WoT is completely out of the picture for Crev. WoT-s between GPG and Crev serve different purposes: confirming that underlying identity is true vs trusting someones code reviews.

[stevenroose]

But that doesn't take away the utility of using PGP identities for crev, though.

[dpc]

I have created this ticket for a reason. I'm not disputing utility of supporting PGP. 😎

[tiziano88]

In terms of integration with cargo-crev, what would be considered acceptable?

I can think of the following models, in increasing level of complexity:

• cargo crev just outputs unsigned files, then the user manually signs them using plain gpg, then cargo crev reimports the signed files
• cargo crev invokes the gpg cli to automatically sign the files (I think it should work as long as gpg-agent is running in the same session, but I am not 100% sure)
• cargo crev integrates natively with gpg via Rust somehow (not sure there are even the necessary bindings for this)

[tiziano88]

I guess a similar interface to git for signing commits may be used: https://help.github.com/en/github/authenticating-to-github/telling-git-about-your-signing-key

[dpc]

https://sequoia-pgp.org/ , haven't checked if they have SC support already.

[dignifiedquire]

there is a pure rust pgp implementation available under the pgp crate. this is currently used in rustup for signature validation, so already is in use by the wider rust community

disclaimer: I maintain that crate

[chpio]

https://sequoia-pgp.org/ , haven't checked if they have SC support already.

this issue seems related: https://gitlab.com/sequoia-pgp/sequoia/-/issues/114

[JanZerebecki]

Another way is to only cross link identities, as you can not only use email in gpg identities. See e.g.: https:/wiktor-k/openpgp-proofs