doc: verify submodule signatures

Updating git submodules are not merges by default, they are a checkout, therefore no signature verification is done, merge.VerifySignatures=true is ignored. Unless git-submodule--helper implements a method to verify signatures before checking out commits, it can't be relied on.
ben-grande · Mar 11, 2024 · 07834be · 07834be
1 parent fe35656
commit 07834be
Showing 1 changed file with 29 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -79,10 +79,12 @@ You current setup needs to fulfill the following requisites:
 Before copying anything to Dom0, read [Qubes OS warning about consequences of
 this procedure](https://www.qubes-os.org/doc/how-to-copy-from-dom0/#copying-to-dom0).
 
-1. Copy the repository `$file` from the DomU `$qube` to Dom0:
+1. Copy the repository `$file` from the DomU `$qube` to Dom0 (substitute
+   `CHANGEME` for the desired valued):
   ```sh
   qube="CHANGEME" # qube name where you downloaded the repository
   file="CHANGEME" # path to the repository in the qube
+
   qvm-run --pass-io --localcmd="UPDATES_MAX_FILES=10000
     /usr/libexec/qubes/qfile-dom0-unpacker user
     ~/QubesIncoming/${qube}/qusal" \
@@ -94,6 +96,7 @@ this procedure](https://www.qubes-os.org/doc/how-to-copy-from-dom0/#copying-to-d
 3. Verify the [commit or tag signature](https://www.qubes-os.org/security/verifying-signatures/#how-to-verify-signatures-on-git-repository-tags-and-commits) and expect a good signature, be surprised otherwise:
   ```sh
   git verify-commit HEAD
+  git submodule foreach git verify-commit HEAD
   ```
 
 4. Copy the project to the Salt directories:
@@ -109,32 +112,44 @@ demonstrated below.
 
 ### DomU Update
 
-Update the repository state in your trusted DomU:
+Update the repository state in your DomU:
 ```sh
 git -C ~/src/qusal fetch --recurse-submodules
 ```
 
 ### Dom0 Update with Git
 
 This method is more secure than literally copying the whole directory of the
-repository to dom0 but the setup is more involved. Requires some familiary
+repository to dom0 but the setup is more involved. Requires some familiarity
 with the sys-git formula.
 
-0. Install the [sys-git formula](salt/sys-git/README.md) and push the
+1. Install the [sys-git formula](salt/sys-git/README.md) and push the
    repository to the git server.
 
-1. Install git on Dom0, allow the Qrexec protocol to work in submodules and
+2. Install git on Dom0, allow the Qrexec protocol to work in submodules and
    clone the repository to `~/src/qusal` (only has to be run once):
   ```sh
   mkdir -p ~/src
   sudo qubesctl state.apply sys-git.install-client
   git clone --recurse-submodules qrexec://@default/qusal.git ~/src/qusal
   ```
 
-2. Fetch from the app qube and place the files in the salt tree (git merge
-   and pull will verify the HEAD signature automatically)
+3. Next updates will be pulling instead of cloning:
   ```sh
-  git -C ~/src/qusal fetch --recurse-submodules
+  git -C ~/src/qusal pull --recurse-submodules
+  git -C ~/src/qusal submodule update --merge
+  ```
+
+4. Verify the commit or tag signature and expect a good signature, be
+  surprised otherwise (signature verification on submodules is skipped if
+  checking out but not merging):
+  ```sh
+  git verify-commit HEAD
+  git submodule foreach git verify-commit HEAD
+  ```
+
+5. Copy the project to the Salt directories:
+  ```
   ~/src/qusal/scripts/setup.sh
   ```
 
@@ -144,18 +159,21 @@ This method is similar to the installation method, but easier to type. This
 method is less secure than Git over Qrexec because it copies the whole
 repository, including the `.git` directory which holds files that are not
 tracked by git. It would be easier to distrust the downloader qube if the
-project had a signed archive.
+project had a signed archive. The `.git/info/exclude` can exclude modified
+files from being tracked and signature verification won't catch it.
 
 1. Install the helpers scripts and git on Dom0 (only has to be run once):
   ```sh
   sudo qubesctl state.apply dom0.install-helpers
   sudo qubes-dom0-update git
   ```
 
-2. Copy the repository `$file` from the DomU `$qube` to Dom0:
+2. Copy the repository `$file` from the DomU `$qube` to Dom0 (substitute
+   `CHANGEME` for the desired valued):
   ```sh
   qube="CHANGEME" # qube name where you downloaded the repository
   file="CHANGEME" # path to the repository in the qube
+
   rm -rf ~/QubesIncoming/"${qube}"/qusal
   UPDATES_MAX_FILES=10000 qvm-copy-to-dom0 "${qube}" "${file}"
   ```
@@ -164,6 +182,7 @@ project had a signed archive.
   surprised otherwise:
   ```sh
   git verify-commit HEAD
+  git submodule foreach git verify-commit HEAD
   ```
 
 4. Copy the project to the Salt directories: