Last active
May 30, 2024 03:23
-
-
Save ChristopherA/8c92856959e8556f7308127b60b265bc to your computer and use it in GitHub Desktop.
Open Integrity Inception Script Snippets
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Remove any old git relics — we are creating an empty commit for a new identifier | |
rm -rf ./.git | |
git init # --object-format=sha256 | |
# INCEPTION_CREATOR_NICK="any-nickname" | |
# This gets your your GitHub nick from your `gh` cli files if you have them | |
INCEPTION_CREATOR_NICK=$( | |
cat ~/.config/gh/hosts.yml | | |
sed -n "/user:/p" | | |
sed "s/.*user: \(.*\)/\1/" | |
) | |
# Load the first line from the SSH key file | |
read -r line < ~/.ssh/id_sign_ed25519_${INCEPTION_CREATOR_NICK}.local-admin-2024-04-27@github.com.pub | |
# Extract the first two fields only (key type and key data) | |
INCEPTION_CREATOR_SSH_PUB_KEY=$(echo $line | awk '{print $1, $2}') | |
# Construct the entry for the allowed_signers file | |
entry="@$INCEPTION_CREATOR_NICK $INCEPTION_CREATOR_SSH_PUB_KEY # Inception key authorized on $(date -u +'%Y-%m-%d %H:%M:%S %Z')" | |
# Write the entry to the allowed_signers file | |
echo $entry > ./_repo:allowed_commit_signers | |
# Configure these local to this repo | |
git config --local gpg.ssh.allowedSignersFile ./_repo:allowed_commit_signers | |
git config --local gpg.format ssh | |
git config --local commit.gpgsign true | |
git config --local tag.gpgsign true | |
# NOTE: For these to not get overridden by git global, these need to be on same line | |
# and precede the `git commit`` command. | |
GIT_AUTHOR_NAME='$INCEPTION_CREATOR_NICK' \ | |
GIT_AUTHOR_EMAIL='$INCEPTION_CREATOR_SSH_PUB_KEY' \ | |
GIT_COMMITTER_NAME='$INCEPTION_CREATOR_SSH_PUB_KEY' \ | |
GIT_COMMITTER_EMAIL='$INCEPTION_CREATOR_SELF_SIGNED_SSH_PUB_KEY' \ | |
git commit --allow-empty --no-edit \ | |
--gpg-sign=~/.ssh/id_sign_ed25519_$INCEPTION_CREATOR_NICK.local-admin-2024-04-27@github.com.pub \ | |
-m "Initialize repository and establish a SHA-256 root of trust" \ | |
-m "Signed-off-by: @$INCEPTION_CREATOR_NICK <$INCEPTION_CREATOR_SSH_PUB_KEY>" \ | |
-m "This key also certifies future commits' integrity and origin. \ | |
Other keys can be authorized to certify additional commits via the creation \ | |
of an ./_repo:allowed_commit_signers file. This file must initially be \ | |
signed by the repo's inception key, granting these keys the authority to \ | |
certify future commits to this repo, including the potential to remove the \ | |
authority of this inception key for commits. Once established, any changes \ | |
to ./_repo:allowed_commit_signers must be certified by one of the \ | |
previously approved signers." | |
git rev-list --all | |
REPO_ID=${$(git rev-list --max-parents=0 HEAD):u} | |
REPO_DID="DID:REPO:$REPO_ID" | |
git cat-file -p $REPO_ID | |
git verify-commit $REPO_ID | |
echo "Repository SHA-256 DID (based on inception commit)" $REPO_DID | |
gh repo create my-project --private --source=. --remote=upstream |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment