ChristopherA/open_integrity_script_snippets.sh

## open_integrity_script_snippets.sh


# Remove any old git relics — we are creating an empty commit for a new identifier
rm -rf ./.git
git init # --object-format=sha256


# INCEPTION_CREATOR_NICK="any-nickname"

# This gets your your GitHub nick from your `gh` cli files if you have them
INCEPTION_CREATOR_NICK=$(
  cat ~/.config/gh/hosts.yml |
    sed -n "/user:/p" |
    sed "s/.*user: \(.*\)/\1/"
)

# Load the first line from the SSH key file
read -r line < ~/.ssh/id_sign_ed25519_${INCEPTION_CREATOR_NICK}.local-admin-2024-04-27@github.com.pub

# Extract the first two fields only (key type and key data)
INCEPTION_CREATOR_SSH_PUB_KEY=$(echo $line | awk '{print $1, $2}')

# Construct the entry for the allowed_signers file
entry="@$INCEPTION_CREATOR_NICK $INCEPTION_CREATOR_SSH_PUB_KEY # Inception key authorized on $(date -u +'%Y-%m-%d %H:%M:%S %Z')"

# Write the entry to the allowed_signers file
echo $entry > ./_repo:allowed_commit_signers

# Configure these local to this repo
git config --local gpg.ssh.allowedSignersFile ./_repo:allowed_commit_signers
git config --local gpg.format ssh
git config --local commit.gpgsign true
git config --local tag.gpgsign true

# NOTE: For these to not get overridden by git global, these need to be on same line
# and precede the `git commit`` command.
GIT_AUTHOR_NAME='$INCEPTION_CREATOR_NICK' \
GIT_AUTHOR_EMAIL='$INCEPTION_CREATOR_SSH_PUB_KEY' \
GIT_COMMITTER_NAME='$INCEPTION_CREATOR_SSH_PUB_KEY' \
GIT_COMMITTER_EMAIL='$INCEPTION_CREATOR_SELF_SIGNED_SSH_PUB_KEY' \
git commit --allow-empty --no-edit \
--gpg-sign=~/.ssh/id_sign_ed25519_$INCEPTION_CREATOR_NICK.local-admin-2024-04-27@github.com.pub \
-m "Initialize repository and establish a SHA-256 root of trust" \
-m "Signed-off-by: @$INCEPTION_CREATOR_NICK <$INCEPTION_CREATOR_SSH_PUB_KEY>" \
-m "This key also certifies future commits' integrity and origin. \
Other keys can be authorized to certify additional commits via the creation \
of an ./_repo:allowed_commit_signers file. This file must initially be \
signed by the repo's inception key, granting these keys the authority to \
certify future commits to this repo, including the potential to remove the \
authority of this inception key for commits. Once established, any changes \
to ./_repo:allowed_commit_signers must be certified by one of the \
previously approved signers."
git rev-list --all
REPO_ID=${$(git rev-list --max-parents=0 HEAD):u}
REPO_DID="DID:REPO:$REPO_ID"
git cat-file -p $REPO_ID
git verify-commit $REPO_ID
echo "Repository SHA-256 DID (based on inception commit)" $REPO_DID
gh repo create my-project --private --source=. --remote=upstream


	# Remove any old git relics — we are creating an empty commit for a new identifier
	rm -rf ./.git
	git init # --object-format=sha256


	# INCEPTION_CREATOR_NICK="any-nickname"

	# This gets your your GitHub nick from your `gh` cli files if you have them
	INCEPTION_CREATOR_NICK=$(
	cat ~/.config/gh/hosts.yml \|
	sed -n "/user:/p" \|
	sed "s/.user: \(.\)/\1/"
	)

	# Load the first line from the SSH key file
	read -r line < ~/.ssh/id_sign_ed25519_${INCEPTION_CREATOR_NICK}.local-admin-2024-04-27@github.com.pub

	# Extract the first two fields only (key type and key data)
	INCEPTION_CREATOR_SSH_PUB_KEY=$(echo $line \| awk '{print $1, $2}')

	# Construct the entry for the allowed_signers file
	entry="@$INCEPTION_CREATOR_NICK $INCEPTION_CREATOR_SSH_PUB_KEY # Inception key authorized on $(date -u +'%Y-%m-%d %H:%M:%S %Z')"

	# Write the entry to the allowed_signers file
	echo $entry > ./_repo:allowed_commit_signers

	# Configure these local to this repo
	git config --local gpg.ssh.allowedSignersFile ./_repo:allowed_commit_signers
	git config --local gpg.format ssh
	git config --local commit.gpgsign true
	git config --local tag.gpgsign true

	# NOTE: For these to not get overridden by git global, these need to be on same line
	# and precede the `git commit`` command.
	GIT_AUTHOR_NAME='$INCEPTION_CREATOR_NICK' \
	GIT_AUTHOR_EMAIL='$INCEPTION_CREATOR_SSH_PUB_KEY' \
	GIT_COMMITTER_NAME='$INCEPTION_CREATOR_SSH_PUB_KEY' \
	GIT_COMMITTER_EMAIL='$INCEPTION_CREATOR_SELF_SIGNED_SSH_PUB_KEY' \
	git commit --allow-empty --no-edit \
	--gpg-sign=~/.ssh/id_sign_ed25519_$INCEPTION_CREATOR_NICK.local-admin-2024-04-27@github.com.pub \
	-m "Initialize repository and establish a SHA-256 root of trust" \
	-m "Signed-off-by: @$INCEPTION_CREATOR_NICK <$INCEPTION_CREATOR_SSH_PUB_KEY>" \
	-m "This key also certifies future commits' integrity and origin. \
	Other keys can be authorized to certify additional commits via the creation \
	of an ./_repo:allowed_commit_signers file. This file must initially be \
	signed by the repo's inception key, granting these keys the authority to \
	certify future commits to this repo, including the potential to remove the \
	authority of this inception key for commits. Once established, any changes \
	to ./_repo:allowed_commit_signers must be certified by one of the \
	previously approved signers."
	git rev-list --all
	REPO_ID=${$(git rev-list --max-parents=0 HEAD):u}
	REPO_DID="DID:REPO:$REPO_ID"
	git cat-file -p $REPO_ID
	git verify-commit $REPO_ID
	echo "Repository SHA-256 DID (based on inception commit)" $REPO_DID
	gh repo create my-project --private --source=. --remote=upstream