Filename: xxx-signing-commits-with-gpg.txt
Title: Signing commits with GPG
Author: Nicolas Vigier
Created: 28-Apr-2020
Status: Open
Ticket: #34046

1. Motivation

  While building stable or alpha Tor Browser releases, we verify all
  inputs using one of the following methods:
   - verifying the checksum of downloaded files
   - verifying the gpg signature of downloaded files
   - verifying the gpg signature on git tags
   - using a know git commit hash

  In nightly builds however, we need to use the master branch of some
  components, without checking that the commit is signed. An attacker
  who manages to take control of our git repository could potentially
  compromise our build machines in this way. In order to remove this
  possibility, we should sign and verify commits on all master branches
  used in the nightly builds.

2. Proposal

2.1 Signing commits

  Signing commits with gpg can be done using the -S options in most
  git's commands (commit, merge, cherry-pick, rebase, etc ...).
  Alternatively, the commit.gpgSign git's config option can be set to
  true, to sign all commits.

  If a proposed commit is not signed by a known key, the maintainer of
  the component should merge the commit using git merge's option --no-ff
  in order to force the creation of a signed merge commit even in the
  cases where a merge commit would not be needed. Alternatively the
  git cherry-pick command can be used to rewrite and sign the commit.

2.2 Git repositories which should have signed commits

  The master of commit tor-browser-build.git should be signed by one of
  the members of the Tor Browser team. Additionally, all components
  included in Tor Browser, where the master branch is used in our
  nightly build, should have their master commit signed by one of the
  maintainer of those repositories.

  The current list of repositories where we use the master branch in
  nightly builds is:

    https://git.torproject.org/pluggable-transports/goptlib.git
    https://git.torproject.org/pluggable-transports/obfs4.git
    https://git.torproject.org/tor-launcher.git
    https://git.torproject.org/tor-browser.git
    https://git.torproject.org/tor.git

2.3 Verifying signature on components included in Tor Browser

  In tor-browser-build, we should include in keyring/$project.gpg
  (where project is the name of the component) the keys of all
  developers of the component who are expected to sign their commits,
  or the keys of all maintainers of the component who are expected to
  merge all commits.

  In rbm's configuration for each components where the master branch
  is used for the nightly build, we set commit_gpg_id to 1 to enable
  verification of the commit's signature.

2.4 Verifying signature on tor-browser-build

  In keyring/torbrowser-team.gpg in tor-browser-build, we add the gpg
  keys of the main developers.

  We also include the following helper scripts:

   - tools/git-pull: fetch a remote repository, but verify the signature
     of the top commit before merging it in the current branch.

   - tools/git-checkout: verify the signature of a commit before
     switching to it.