zsh-users/antigen

Allow secure gpg verified cloning of modules via git signatures

Open

#302 opened on Nov 2, 2016

View on GitHub
 (0 comments) (1 reaction) (0 assignees)Shell (7,876 stars) (282 forks)batch import
EnhancementHelp wanted

Description

Git supports signatures (see https://github.com/zsh-users/antigen/issues/301) and these can be used to make downloading of git repos more secure.

You can verify signatures directly in git pulls: git pull --verify-signatures Or you can use git verify-commit HEAD to verify the latest commit.

Contributor guide

Tech stack
shell
Domain
clisecurity
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Shell scriptingGit basicsGPG basics
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
35
Research direction
Examine the cloning logic in the main antigen.zsh file. Implement an option to use 'git pull verify signatures' or a verification step after cloning. No linked PRs or comments exist, so the implementation path is open. Test with signed commits.