diff --git a/Makefile b/Makefile index d4d2ae3..80efb8a 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ all: @echo "Run 'make uninstall' for uninstallation." install: - install -Dm755 gpgit.py $(DESTDIR)$(PREFIX)/bin/gpgit + install -Dm755 gpgit.sh $(DESTDIR)$(PREFIX)/bin/gpgit install -Dm644 Readme.md $(DESTDIR)$(PREFIX)/share/doc/gpgit/Readme.md uninstall: diff --git a/Readme.md b/Readme.md index 5e575f1..8a6a153 100644 --- a/Readme.md +++ b/Readme.md @@ -6,16 +6,16 @@ As we all know, today more than ever before, it is crucial to be able to trust our computing environments. One of the main difficulties that package maintainers of GNU/Linux distributions face, is the difficulty to verify the authenticity and the integrity of the source code. With GPG signatures it is possible for packagers to verify source code releases quickly and easily. #### Overview of the required tasks: -* Create and/or use a **[4096-bit RSA keypair][1]** for the file signing +* Create and/or use a **[4096-bit RSA/Ed25519 ECC keypair][1]** for the file signing * Use a **[strong, unique, secret passphrase][2]** for the key * Upload the public key to a **[key server][3]** and **[publish the full fingerprint][4]** * **[Sign][5]** every new Git **[commit][6]** and **[tag][7]** -* Create **[signed][8], [compressed][9]** (xz --best) release **archives** -* Upload a **[strong message digest][10]** (sha512) of the archive +* Create **[signed][8], [compressed release archives][9]** +* Upload a **[strong message digest][10]** of the archive * Configure **[HTTPS][11]** for your download server ### GPGit -[GPGit][12] is meant to bring GPG to the masses. It is not only a Python script that automates the process of [creating new signed Git releases with GPG][13], but also a [quick-start-guide][14] for learning how to use GPG. GPGit integrates perfectly with the [Github Release API][15] for uploading. +[GPGit][12] is meant to bring GPG to the masses. It is not only a shell script that automates the process of [creating new signed Git releases with GPG][13], but also includes a [quick-start-guide][14] for learning how to use GPG. GPGit integrates perfectly with the [Github Release API][15] for uploading. The security status of GNU/Linux projects will be tracked in the [Linux Security Database][16]. If you have any further questions, do not hesitate to [contact me][17] personally. Thanks for your help in making GNU/Linux projects more secure by using GPG signatures. @@ -37,7 +37,7 @@ The security status of GNU/Linux projects will be tracked in the [Linux Security [16]: https://github.com/NicoHood/LSD [17]: http://contact.nicohood.de -## Index +# Index * [Introduction](#introduction) * [GPGit Documentation](#gpgit-documentation) * [GPG Quick Start Guide](#gpg-quick-start-guide) @@ -45,103 +45,80 @@ The security status of GNU/Linux projects will be tracked in the [Linux Security # GPGit Documentation ## Installation -### ArchLinux -You can install GPGit from [AUR](https://aur.archlinux.org/packages/gpgit/). Make sure to [build in a clean chroot](https://wiki.archlinux.org/index.php/DeveloperWiki:Building_in_a_Clean_Chroot). Please give the package a vote so I can move it to the official ArchLinux [community] repository for even simpler installation. -### Ubuntu/Debian/Other -GPGit dependencies can be easily installed via [pip](https://pypi.python.org/pypi/pip). +### Distribution Packages +* [Arch Linux (AUR)](https://aur.archlinux.org/packages/gpgit/) +### Manual Installation ```bash -# Install dependencies -sudo apt-get install python3 python3-pip gnupg2 git -VERSION=2.0.7 +# Install dependencies and optional dependencies +sudo apt-get install bash gnupg2 git tar xz-utils coreutils gawk grep sed +sudo apt-get install gzip bzip lzip file jq curl # Download and verify source -wget https://github.com/NicoHood/gpgit/releases/download/${VERSION}/gpgit-${VERSION}.tar.xz -wget https://github.com/NicoHood/gpgit/releases/download/${VERSION}/gpgit-${VERSION}.tar.xz.asc +VERSION=1.3.0 +wget "https://github.com/NicoHood/gpgit/releases/download/${VERSION}/gpgit-${VERSION}.tar.xz" +wget "https://github.com/NicoHood/gpgit/releases/download/${VERSION}/gpgit-${VERSION}.tar.xz.asc" gpg2 --keyserver hkps://pgp.mit.edu --recv-keys 97312D5EB9D7AE7D0BD4307351DAE9B7C1AE9161 -gpg2 --verify gpgit-${VERSION}.tar.xz.asc gpgit-${VERSION}.tar.xz +gpg2 --verify "gpgit-${VERSION}.tar.xz.asc" "gpgit-${VERSION}.tar.xz" -# Extract and install dependencies -tar -xf gpgit-${VERSION}.tar.xz -cd gpgit-${VERSION} -pip3 install --user -r requirements.txt - -# Install and run GPGit -sudo cp gpgit.py /usr/local/bin/gpgit +# Extract, install and run GPGit +tar -xf "gpgit-${VERSION}.tar.xz" +sudo make -C "gpgit-${VERSION}" PREFIX=/usr/local install gpgit --help ``` ## Script Usage -The script guides you through all 5 steps of the [GPG quick start guide](#gpg-quick-start-guide). **By default no extra arguments beside the tag are required.** Follow the instructions and you are good to go. +The script guides you through all 5 steps of the [GPG quick start guide](#gpg-quick-start-guide). Run GPGit with the tag name as parameter. All other options will get auto detected. When running the script for the first time GPGit runs in interactive (`-i`) mode and guide you through all steps of secure source code signing. +### Sample Usage ![screenshot](img/screenshot.png) -### Parameters - -#### -h, --help -Show help message and exit. - -#### -v, --version -Show program's version and exit. - -#### tag -Tagname of the release. E.g. `1.0.0` or `20170521` with `$(date +%Y%m%d)`. - -#### -m , --message -Use the given as the commit message. - -#### -o , --output -Output path of the archive, signature and message digest. You can also set this option via configuration. - -#### -g , --git-dir -Path to the Git project. - -#### -n, --no-github -Disable Github API functionality. Github releases need to be created manually and release assets need to be uploaded manually. GPGit will not prompt for a Github token anymore. - -#### -p, --prerelease -Flag as Github prerelease. - -### Configuration -Additional configuration can be made via [git config](https://git-scm.com/docs/git-config). Example usage: - -```bash -git config --global gpgit.token -git config --global gpgit.output ~/gpgit -git config --local gpgit.compression gzip +### Parameters and Configuration +``` +$ gpgit --help +Usage: gpgit [options] + +GPGit 1.3.0 https://github.com/NicoHood/gpgit +A shell script that automates the process of signing Git sources via GPG. + +Mandatory arguments: + The name of the tag to create. + +Optional arguments: + -h, --help Show this help message and exit. + -m, --message Use the given as the commit message. + If multiple -m options are given, their values are + concatenated as separate paragraphs. + -C, --directory Run as if GPGit was started in instead of the + current working directory. + -S, --signingkey Use the given GPG key. + -o, --output Safe all release assets to the specified . + -p, --pre-release Flag as Github pre-release. + -n, --no-github Disable Github API functionallity. + -i, --interactive Run in interactive mode, step-by-step. + --