Skip to content

Instantly share code, notes, and snippets.

@ChristopherA
Last active May 30, 2024 03:23
Show Gist options
  • Save ChristopherA/8c92856959e8556f7308127b60b265bc to your computer and use it in GitHub Desktop.
Save ChristopherA/8c92856959e8556f7308127b60b265bc to your computer and use it in GitHub Desktop.
Open Integrity Inception Script Snippets
# Remove any old git relics — we are creating an empty commit for a new identifier
rm -rf ./.git
git init # --object-format=sha256
# INCEPTION_CREATOR_NICK="any-nickname"
# This gets your your GitHub nick from your `gh` cli files if you have them
INCEPTION_CREATOR_NICK=$(
cat ~/.config/gh/hosts.yml |
sed -n "/user:/p" |
sed "s/.*user: \(.*\)/\1/"
)
# Load the first line from the SSH key file
read -r line < ~/.ssh/id_sign_ed25519_${INCEPTION_CREATOR_NICK}.local-admin-2024-04-27@github.com.pub
# Extract the first two fields only (key type and key data)
INCEPTION_CREATOR_SSH_PUB_KEY=$(echo $line | awk '{print $1, $2}')
# Construct the entry for the allowed_signers file
entry="@$INCEPTION_CREATOR_NICK $INCEPTION_CREATOR_SSH_PUB_KEY # Inception key authorized on $(date -u +'%Y-%m-%d %H:%M:%S %Z')"
# Write the entry to the allowed_signers file
echo $entry > ./_repo:allowed_commit_signers
# Configure these local to this repo
git config --local gpg.ssh.allowedSignersFile ./_repo:allowed_commit_signers
git config --local gpg.format ssh
git config --local commit.gpgsign true
git config --local tag.gpgsign true
# NOTE: For these to not get overridden by git global, these need to be on same line
# and precede the `git commit`` command.
GIT_AUTHOR_NAME='$INCEPTION_CREATOR_NICK' \
GIT_AUTHOR_EMAIL='$INCEPTION_CREATOR_SSH_PUB_KEY' \
GIT_COMMITTER_NAME='$INCEPTION_CREATOR_SSH_PUB_KEY' \
GIT_COMMITTER_EMAIL='$INCEPTION_CREATOR_SELF_SIGNED_SSH_PUB_KEY' \
git commit --allow-empty --no-edit \
--gpg-sign=~/.ssh/id_sign_ed25519_$INCEPTION_CREATOR_NICK.local-admin-2024-04-27@github.com.pub \
-m "Initialize repository and establish a SHA-256 root of trust" \
-m "Signed-off-by: @$INCEPTION_CREATOR_NICK <$INCEPTION_CREATOR_SSH_PUB_KEY>" \
-m "This key also certifies future commits' integrity and origin. \
Other keys can be authorized to certify additional commits via the creation \
of an ./_repo:allowed_commit_signers file. This file must initially be \
signed by the repo's inception key, granting these keys the authority to \
certify future commits to this repo, including the potential to remove the \
authority of this inception key for commits. Once established, any changes \
to ./_repo:allowed_commit_signers must be certified by one of the \
previously approved signers."
git rev-list --all
REPO_ID=${$(git rev-list --max-parents=0 HEAD):u}
REPO_DID="DID:REPO:$REPO_ID"
git cat-file -p $REPO_ID
git verify-commit $REPO_ID
echo "Repository SHA-256 DID (based on inception commit)" $REPO_DID
gh repo create my-project --private --source=. --remote=upstream
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment