Yestin L. Harrison

Signing patches

In any distributed system, it is important to be able to tell your coauthors who you are in a secure way. One possible way to do this is to sign your patches, which Pijul does using PGP keys.

If you choose to do so, others will expect your patches to be signed, and will be able to reject attempts to impersonate you.

Signing patches doesn't prevent others from stealing your patches, ripping off the patches' signatures and signing them as their own, though.

After a keypair is generated, pijul record will automatically sign all your patches.

Generating a secret key

Pijul can generate signing keys, either per repository (the keys are then stored in the .pijul of that repository) or globally (in which case the keys are stored in your home directory, in .pijulconfig).

To generate a global signing key, run the following command in a terminal:

pijul key gen --signing-id

Uploading your public key to the Nest

For security reasons, the Nest will never offer you any interface to upload your public key.

Instead, Pijul can be asked to convince the Nest (or actually any other server) that you really own the secret key associated to your public key. Once you have a secret key, this can be done by running the following command in a terminal:

pijul key upload

Internally, that command asks the Nest to generate a challenge string, signs it, and replies with the signature. If the signature is correct, the Nest will know the public key, and recognise it as yours.