►
From YouTube: Support for SSH signed commits
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Yeah,
hello,
hello,
everybody,
so
just
let
me
yeah,
let
me
start
why
we
actually
had
like
an
urge
to
implement
it
here,
because
this
topic
commit
signing.
We
we
had
it.
We
had
it
before,
but
actually
gpg
gpg
keys
were
used
for
signing
like
a
year
ago.
B
B
We
Brian
Williams
yeah,
decided
to
was
enthusiastic
about
this
topic
and
decided
to
implement
it,
and
actually
he
implemented
everything
by
Mike
himself
and
currently,
and
we
just
need
to
implement
I
had
to
implement
it
like
a
couple
of
issues
in
order
to
make
it
work
and
why
it
started
being
important
like
a
couple
of
months
ago,
it's
because
once
but
one
password
started
supporting
SSH
keys
and
if,
for
example,
someone
has
like
one
password
extension
like
romance
extension,
it
started
being
super
easy
to
configure
like
an
SSH
key
and
use
that
SSH
key
for
sign
in,
for
example,
if
we
have
a
look
at
the
profile
profile,
keys,
profile,
Keys
page
and
if
we
want
to
add
an
sh
key
one
password
extension
actually
suggests
some
a
couple
of
drop
downs
to
create
an
Sage
key.
B
But
let's
use
an
existing
one,
for
example
this
one
and
add
it
to
to
and
edit
to
gitlab
yeah
when
we
edit
it.
We
actually
have
it
in
one
password
application
available
and
if
permit
sign-in
is
not
configured
system-wide
and
one
password
actually
even
suggests
to
configure
it
for
you
and
has
some
more
suggestions,
but
since
I
have
it
suggested,
it
can
be
also
viewed
in
the
in
the
settings,
and
it
provides
some
useful
options
to
configure
commit
sign
in
it's
and
it
can
be
either
edited
automatically.
B
This
content
will
be
added
to
your
git
config
or
it
can
be
copied
and
edited
manually.
Let's
have
a
look.
What
does
it
actually
means
of
in
the
git
config
like
a
signing?
Key
must
be
provided
it's
actually,
the
public
part
of
the
sh
key
that
that
is
used
for
commit
sign-in,
also
the
informat.
We
say
that
we
use
like
SSH
signing
commits
in
this
gpg
SSH
option.
We
specified
a
program
that
is
actually
used
for
commit
sign-in
by
default.
B
Ssh
like
shk
generation
utility
is
used,
but
one
password
also
provides
its
custom
sh
sign
in
utility,
which
is
also
really
handy
and
like
this
option
is
just
mentioned,
that
I
want
to
sign
or
every
commit.
So,
let's
actually
try
and
create
the
commit
and
sign
it.
Let's
see
how
how
it
actually
works
so
I,
let's
edit,
like
this
file,
add
some
text.
C
B
And
it's
also
one
password
task,
your
confirmation
to
sign
the
commit,
so
it
actually
works
like
this
and
now
our
commit
is
signed
and
it
can
be
viewed
by
using
a
Show
signature
option
for
each
show.
It
actually
shows
that
commit
signature
is
that
this
commit
has
a
good
commit
signature
with
this
particular
fingerprint
and
let's
try
and
push
this
commit.
B
So
now
we
have
this
commit,
let's
check
the
ID
like
it's
like
31,
like
30
month
here
yeah.
So
now
the
commit
is
verified
with
this
particular
fingerprint
particular
signature,
and
now
we
see
that
it
actually
works
and
our
commit
is
signed
and
verified
on
gitlab
site.
So
with
one
password
it
becomes
pretty.
It
becomes
pretty
easy
and
one
password
like
suggested
this
collaboration.
B
So
we
decided
to
urge
it's
a
bit
and
implement
it
as
soon
as
possible,
but
it's
actually
can
be,
can
work
even
without
one
password,
using
like
a
sage,
Keygen
utility
and
git,
and
like
your
IO
SSH
folder,
which
contains
the
SSH
keys.
So
let's,
let's
have
a
look.
How
it
actually
works.
Sorry,
Sean,
I,
haven't
noticed
your
hand.
So
if
you
have
a
question.
A
No
no
problem,
and
it's
a
good
time
to
ask
it
so
you
know
so
I'm
familiar
with,
for
example,
yeah
the
SSH
folder,
where
you
create
you
create
the
keys,
and
then
you
upload
those
keys
to
to
gitlab,
for
example.
But
when
we're
using
one
password,
how
do
the
keys
does
it
generate
the
keys
inside
of
one
password,
or
do
you
generate
them?
First,
on
your
local
file
system
and
upload
them
to
one
password.
B
Yeah
like
for
this
particular
case,.
A
B
A
B
A
great
feature:
okay,
great
thank
you,
but
yeah
it
can
be
also
mentally
generated
and
uploaded
and
yeah,
just
just
as
usual
as
usual,
stuff.
B
So
how
to
actually
how
it
actually
works,
so
we
have
an
object,
object,
ID
and
we
can
use
some
low
level
CAD
file
to
get
a
comment
which
actually
shows
us
some
raw
data
for
the
commit
commit
object,
and
it
actually
shows
some
data
about
about
the
commit
about
the
author,
committer
and
also
has
this
raw
signature.
Cad
file
is
actually
useful.
B
Low-Level
comment
and,
like
gitly,
quite
widely
used
use
this
comment
because,
like
it's
low
level,
more
flexible
and
for
performance
reasons,
they
like
often
use
the
cut
file
and
parse
it.
So
what
it
actually
shows
like
commit
data
and
its
signature,
and
by
default
SSH
kid
Generation,
kitchen
utility
is
used,
and
this
like
sign
comment.
It's
actually
used
by
default
and
git.
Just
basically
performs
performs
this
comment
under
the
hood
and
to
in
order
to
create
a
signature.
B
It's
just
a
name
of
the
comment
like
sign:
it's
like
a
namespace,
that's
a
git
namespace
and
also
provides
a
key
which
is
used
for
signing.
In
this
example.
Private
part,
a
private
key
is
provided
I
just
exported
my
exported
this
key
from
one
password
and
stored
in
in
the
downloads
folder
just
for
convenience,
like
private
part,
is
used
here.
But
if
we
have
a
look
at
the
sh
key
generation
utility
documentation,
it
says
that
a
public
key
can
be
used
if
the
private
half
available
in
our
Sage
agent.
B
B
So
but
let's
just
use
the
private
part
here
and
try
to
encrypt
the
content
of
the
commit
actually
like
this
part-
and
this
part
is
used
for
encryption
for
signing.
So
let's
just
create
it's.
A
second
I'll
create
like
message
16
and
fill
it
with
the
commit
data.
B
So
like
this,
and
now
we
try
to
sign
it,
we
received
this
file.
Let's
see
the
content
of
this
file
and
yeah,
it's
it's
actually
the
same
as
the
one
stored
in
the
git
object,
so
Commit
This
commit
data
is
signed
using
our
private
key
and
we
receive
this
signature,
which
is
also
stored
in
the
git
object
and
pushed
to
the
server,
and
we
can
use
this
signature
in
order
to
verify
verify
that
the
data
and
signature
is
correct.
B
On
a
quick
note
regarding
this
signature,
it
also
contains
some
metadata
about
the
key
that
was
used
for
or
for
signing
the
commit,
because
if
we
again
have
a
look
at
the
have
a
look
at
the
commit
using
Show
signature
option,
it
shows
that,
like
good
git
signature
for
this
particular
email
using
this
particular
this
particular
algorithm
using
this
particular
public
key
fingerprint
for
sign
in-
and
this
is
actually
the
sign-in
part-
and
let
me
also
show
you
this
this
diagram
of
how
it's
actually
like
cryptographic,
sign-in,
actually
works.
B
We
have
a
data,
we
have
private
key
and
we
have
a
public
key
and
we
want
to
assign
this
data
and
verify
this
data.
We
have
the
data.
The
data
can
be
really
large
in
order
to
limit
somehow
limited
the
data
we
use.
We
use
Hessian
function
to
create
a
smaller
hash
of
this
data.
We
created
a
hash,
we
have
private
key
and
signature
algorithm,
we
use
signature
algorithm
and
the
private
key
in
order
to
encrypt
this
hash
and
this
encrypted
hash
encrypted
content.
It's
actually
our
signature
data
is
public.
Signature
is
public.
B
Now
we
want
to
verify
verify
the
data
matches
the
signature
we
have
like
data
and
Hessian
function.
We
use
the
data
and
fashion
function
to
calculate
the
hash.
We
have
a
signature
and
the
public
key.
We
use
verification
algorithm
and
the
public
key
to
get
the
hash
from
the
signature.
Then
we
just
compare
that
to
hashes
match
if
the
image
the
signature
and
data
is
correct,
what
wasn't
corrupted
and
if
it
doesn't
match
that
the
data
or
the
signature
was
corrupted
so.
D
Yeah
I
have
a
question
about
the
which
algorithm
did
you
actually
use
to
to
sign
the
the
data,
because
I
see
that
you
can
I
see
that
you
can
that's,
you
will
have
the
same
encryption
every
time
with
the
same
content,
so
I
thought
that
that
might
be
a
security
risk,
even
though
it's
very
unlikely,
but
it
might
then
be
it.
It's
exposed
to
a
Brute,
Force
attack
so.
A
B
We
use
this
private
key
and
like
a
particular
hash,
so
like
with
different
private
Keys,
we'll
receive
different.
B
Yeah
yeah
different
data
and
then
the
point
of
cryptography
yeah
that
it's
actually
hard
to
enumerate
yeah
to
her
to
guess
the
private
key
from.
B
Yellow
from
the
private
yeah
like
infinitely
heart
and
yeah,
and
that's
why
we
we
should
use
like
a
public
key
to
to
actually
decrypt
the
data
yeah.
D
B
That's
actually
that's
actually
a
good
question
and
that
was
and
yeah
that
was
I
actually
wanted
to
mention
yeah
thanks
for
mentioning
it.
Why
I
was
nervous
when
I
run
this
comment,
because
if
we,
for
example,
forget
to
or
if
you,
for
example,
leave
like
a
new
line
somewhere
here
there.
D
B
Of
hard
to
debug,
so
if,
for
example,
we
didn't
have
this
signature,
matched
to
this
signature,
yeah
I
would
be
in
panic
right
now.
Okay,.
B
Yeah
great
question
yeah.
Thank
you
very
much,
some
yeah.
Now
we
need
to
verify
verify
the
signature,
the
data
on
gitlab
site
and-
and
let
me
see-
and
we
have
this-
this
class,
which
actually
yeah
like
the
most
interesting
part
here-
is
this
class
and
it's
responsible
for
verifying
verifying
that
our
sine
data
and
signature,
the
same
text
and
signature
text
text
actually
matches
I.
Think
like
the
best
way
to
have
a
look
at
this
class,
is
to
run
run
the
test.
B
So
I
have
a
couple
of
bindings.
So,
let's
let's
try
and
run
the
test
and
see
the
internals,
how
it
actually
how
it
actually
works.
So.
B
Okay,
why
why
it's
running
like
we
using
this
class?
We
set
the
verification
status
like
data.
We
checked
that
the
signature
is
correct
and
in
order
to
check
it,
we
actually
use
the
signature
text
provided
by
Italy.
This
signature
text
is
actually
our
our
content
here.
So
if
we
have
a
look
and
this
signature
text
variable,
we
have
like
this
signature.
B
B
Let's
go
further
now
we
need
to
verify
that
the
sign
text
actually
matches
the
signature
and,
like
gem,
provides
the
verify,
verify
method
and
we
send
the
assigned
signed
text
into
fit.
This
sign
text
into
this
method
and-
and
this
gem
just
verifies
that
this
text,
actually
it
actually
matches
yeah
like
this
part.
This
part
here
is
executed,
and
now,
when
we
now,
we
verified
that
our
blob
is
valid.
Now
we
need
to
find
the
public.
B
B
We
try
to
find
it
and
we
find
it,
and
this
particular
key
record,
and
the
text
also
has
a
user
linked
to
this.
To
this
key
and
review
have
a
look
at
that
we
have
a
user,
and
now
we
can
verify
that
user.
This
user's
email
is
actually
the
one
specified
in
the
commit,
and
if
it's
the
same,
we
say
that
the
commit
is
verified.
B
If
one
of
these
steps
fails,
then
the
commit
is
not
verified,
so
I
think
I
think
that
it,
let
me
quickly
check
a
couple
of,
or
maybe,
if
you
have
questions
or
this
step
so
I'm
happy
to
answer
them.
B
Again,
so
maybe
it
looks
not
very
complex,
but
like
the
code
around
it
also
yeah,
we
had
to
also
take
into
the
account
that
this
signatures
they
should
be
stored,
because
if,
for
example,
someone
removes
SSH
ssh
key
and
the
sage
key,
the
commits
should
stay
verified.
So
if
the
commit
was
already
verified,
I
should
still
show
the
page
that
it's
verified.
So
this
data
is
stored
in
the
database.
C
Yeah
I
just
wanted
to
mention
a
couple
of
things
around
the
same
topic,
because
recently
I
was
reviewing
some
of
the
Mrs
related
to
that,
so
one
of
them
that
we
also
have.
It
was
a
surprise
for
me
that
we
have
a
signature
for
tax
and
I.
Think
there
will
be
support
on
the
this
x.
C
Something
numbers
algorithm,
not
SSH,
might
be
also
a
good
option
to
see
if
we
can
support
like
SSH
for
them
as
well
to
match
the
functionality
of
their
commits
and
texts
and
another
one
was
around
the
signature
from
the
Italy
side.
I
think
there
is
an
issue
around
that,
and
the
community
country
contributor
tries
to
implement
that
so
the
Comets
automatically
generated.
For
example,
the
merge
commit
that
Gita
retraining
rates
will
be
also
signed.
Is
the
and
verifiable.
B
Yeah,
that's
that's
a
great
great
Point
yeah
because,
for
example,
when
we
create
a
local
commit
yeah,
it
can
be
signed.
But
if,
for
example,
we
use
web
ID
or,
for
example,
squash
commit
or
merge
commits,
they
are
generated
by
Italy
created
by
gitlab.
So
we
actually
yeah
plan
to
have
like
an
SSH
key
pair
uploaded
like
system-wide
and
then
use
this
SSH
key
or,
for
example,
gpg
key.
In
order
to
sign
the
commits
and
verify
it
yourself
and
like
we
see
the
verified
page
that
the
commit
was
created
by
gitlab.
C
B
That's
a
great
Point.
That's
also
like
some
work
work
in
progress
and
it's
actually
a
good
contribution
because
we
also
have
a
setting
which
is
called
the
setting,
but
like
okay,
we
have
a
push
rule
that
we
can
reject
every
commit
that
is
not
signed.
So
if
we
set
this
option
now
like
web
ID
commits
or
merge
commits
can
be
accepted
because
they
are
not
signed
and
that's
actually
like
a
blocker
for
enabling
such
a
such
an
option
globally.
So.
C
B
Obviously
is
right:
it's
like
this
part
is
important
work
in
progress
like
revoking
nssh,
and
this
H
key
is
also
work
in
progress,
because
if
an
SSH
key
is
compromised,
someone
can
create
some
signed
commits
and
we
want
to
Mark
those
those
commits
unverified.
So
when
an
Sage
key
is
revoked,
we
not
only
want
to
remove
that
key,
but
also
Mark,
all
the
key.
All
the
commits
that
were
that
were
are
signed
using
that
key
is
unverified,
because
those
commits
are
also
going
to
be
compromised.
So.
A
This
work
in
progress.
Excuse
me,
Eagle,
sorry,
I
do
need
to
drop
off
on
recording
so
I'm
going
to
stop
the
recording,
but
I
think
you
can
continue
the
conversation.
I'm
sorry
I
have
another
meeting.