TitleGit signing with DIDs
Status

Difficulty


Description 

Hyperledger projects require their contributors to sign Git commits to attest to the Developer Certificate Origin (DCO). New developers have provided feedback that this process can be confusing and represents a barrier to contributing to the project.

Hyperledger Indy provides an identity system that can be used by developers to issue verifiable credentials attesting to the DCO. The Sovrin network is a public instance of Indy that would allow third parties to verify Indy credentials that use the network. Using Indy to sign Git commits would not only improve the contributor experience, but would also serve as a great real-world application of the Indy technology.

Additional Information

https://developercertificate.org/

https://github.com/hyperledger/indy-sdk/

https://github.com/infominer33/awesome-decentralized-id/tree/master/indy-sovrin-evernym

Learning Objectives

Successful completion of this project will involve learning skills such as:

Expected Outcome


Relation to Hyperledger 

Immediately useful for Hyperledger Indy, but could make it easier to contribute to all Hyperledger projects.

Education Level

Enrolled in an undergraduate program in a technical subject.

Skills

Basic programming experience is required. It is also desirable to have familiarity with Git, Rust, and Python.

Future plans

As a result of this project, the intern will be familiar with Hyperledger Indy SDK and able to contribute in a variety of ways including improved documentation, testing, and feature development. A good follow on feature would be to integrate Indy credentials with GPG and SSH by exposing ed25519 keys to those tools.

Preferred Hours and Length of Internship

Either full time or part time is acceptable.

Mentor(s) Names and Contact Info

Richard Esplin, richard.esplin@evernym.com, esplinr, Evernym

Dave Huseby, dhuseby@linuxfoundation.org, dhuseby, Hyperledger

Mentee

Ibrahim El Rhezzali


Project Plan

Git integration with external signing tools

Currently git supports signing / verifying commits and tags using GPG only. The goal of this project is to make the git signing interface compatible with external signing tools and with DIDs (Distributed Identities) using programs such as bettersign for example.

This project will be the continuation of the work already done by David Huseby on the subject. His previous work is here:

This project's working fork:

The main sections of the project are updating the user configuration and the command handling when a signing or verifying operation occur. The actions needed in each section can be listed below and will be evolving as the project evolves.

UPDATE: The request for proposal has been sent to the git mailing list and can be tracked here:

https://public-inbox.org/git/CACi-FhDeAZecXSM36zroty6kpf2BCWLS=0R+dUwuB96LqFKuTA@mail.gmail.com/T/#u

The commits that will be submitted as a patch can be found here:

https://github.com/ibrahimel/did-git-impl/commits/did-git-impl-signing-patch


After receiving feedback from the git community, we opted for a config based approch and a tool-agnostic signing interface. Below is the explained approach sent to the mailing list:

https://public-inbox.org/git/R3X1WzWH0sgOh85GuUmXwsTC6CPKysi4TRzN_BPecDVGr__ET2-mitZ2DZA0_bpKkzLRtnTtoomIWxZtL52_1XkihYBVBAuWMpSdwoboixY=@pm.me/T/#u


The user configuration would define the signing tool and other parameters as keys, identity and keychain. It would look like this:

[signing]
  format = openpgp

[signing "openpgp"]
  program = /usr/bin/gpg
	keyring = "--keyring pubring.kbx --no-default-keyring"
	identity = "--local-user \"Jane Committer <jane@hackers.com>\""
	sign = "$program --sign --status-fd=2 --detach-sign --ascii"
	verify = $program --verify --status-fd=2"

[signing "openpgp.signature"]
	regex = "^-----BEGIN PGP SIGNATURE-----$[^-]*^-----END PGP SIGNATURE-----$"
	multiline = true


And the same goes for the command line:

git commit \
  --sign
	--signing-format=openpgp \
	--signing-openpgp-program="/usr/bin/gpg" \
	--signing-openpgp-keyring="--keyring pubring.kbx --no-default-keyring" \
	--signing-openpgp-identity="--local-user \"Jane Committer <jane@hackers.com>\"" \
	--signing-openpgp-sign="--sign --status-fd=2 --detach-sign --ascii"


As for tool that don't work natively with the signing interface, a support for helper bash or python scripts will be added.


Below in an illustrative model of the expected outcome:

Milestones

Deliverables

Detailed Steps

Update documentation

Update user configuration handling


Add Helper scripts template

Testing

Back-burner Tasks

These are secondary tasks to do while waiting for feedback or assistance, or finished early: