Signing patches needs a bit more documentation [answers inside]

I created an account on, built pijul from source (version pijul-next), figured out how to get SSH auth working, then ran these pijul commands:

$ pijul keys --generate-signing
$ pijul keys --upload-to

Everything seems to be working. Let’s try signing something.

I just pushed a patch to nest before I uploaded my signing key, so let’s unrecord and re-record it.

$ pijul unrecord
Hash: 8tRMkGGk39xQ9Cf6vJnLNpzHiTu4WbRRotAB9fdCfcWpP6m7WTjbVBoqz3xesrpn5DoRwh2ZUohvtnUYkWbpe6nf
Internal id: QAFZaunwX1Q
Authors: ["Justin Charette <>"]
Timestamp: 2017-11-22 20:00:18.677536420 UTC

    Improve editor support.

   The editor config option can include CLI parameters to support gvim via "gvim -f".
Use process:Command::status() to run editor with parent stdin/stdout to support vim and nano.

Shall I unrecord this patch? [ynkad] y
Hash: 9NJRGRcuNb4MZcGY8JATAAAo81ntxAC4dXJxrK56fd7qbeyE4R6tjjikLiQKuv3LtSm2SQp8oMffvobBFjAaszaf
Internal id: UBVsxpFktwa
Authors: ["Florent Becker <>"]
Timestamp: 2017-11-22 13:48:03.390493572 UTC

    Tests: use grep rather than bash regexps for matching command outputs

Shall I unrecord this patch? [ynkad] d
$ pijul record
In file "/home/charetjc/files/development/rust/crates/pijul/pijul/src/commands/"

-         let _output = process::Command::new(editor)
-             .args(vec![patch_name_file.clone()])
-             .current_dir(repo_root)
-             .output()?;
+         let editor_cmd = editor.split(" ").to_owned().collect::<Vec<_>>();
+         let _exit_status = if 1 == editor_cmd.len() {
+             process::Command::new(&editor_cmd[0])
+                 .arg(patch_name_file.clone())
+                 .current_dir(repo_root)
+                 .status()?
+         } else {
+             process::Command::new(&editor_cmd[0])
+                 .args(&editor_cmd[1..])
+                 .arg(patch_name_file.clone())
+                 .current_dir(repo_root)
+                 .status()?
+         };

Shall I record this change? (1/1) [ynkad] y

Recorded patch 75hFzrsPDLgtLRR9FZSUmWnNtHoHAcnxmcsifNssV8LX6bqrBdnog3RXcUFqjSVjxSCjqkUJuahWuzwMZiG1k53p

Great, let’s check the patch on nest and see if it’s signed now.

Yep… and nope. I signed it, but I didn’t sign it. All documentation I found led me to this point.

The last step is to make sure your profile email address matches the email address used to author the patch.

I don’t quite understand why the email is necessary. The pijul docs point out that one cannot simply walk into mordor and throw paste the one ring any public signing key they please into Mount Doom onto their profile, because security. So the only way my signing pubkey is even associated with my nest account is because I authenticated with my SSH key when I ran pijul keys --upload-to.... If the pubkey from my boxofrox account validates the signature, then boxofrox must be charetjc at, yes? If I happen use a private email for nest account notifications and a public email for my patches, then signing patches is off the table, or vice versa.

Perhaps this is necessary in case I try to impersonate someone else…? Given I can change my author name to pmeunier at and update my profile email address to match and generate patches that are signed :white_check_mark: by boxofrox, this doesn’t seem like a thorough reason.

And did unrecording not unrecord the patch from How do I fix that? :sob: Hint: there’s an unrecord button I must click on to unrecord the old patch from the remote repo.

As always, I waste hours trying to figure these details out on my own, then after writing a plea for help, I realize or stumble upon the answer, or most of it at least. I’m just gonna leave this here to help out anyone else following in my bumbling footsteps.

Seriously, why do the emails have to match?


Hmm… This explains why signing is not working for me. I want to keep my email private so I only provided my name. The rationale is that if someone needs to reach me out she can open a discussion on the Nest. Maybe I am missing out somethings but if a signing key has a password shouldn’t that be enough to prove that I record something?

Edit: It seems that my patches are getting signed but the signatures don’t appear on The Nest probably because the patches doesn’t have an associated email

This is probably one of the least finished feature in Pijul and in the Nest. When core parts of the algorithm stop giving me problems, I’ll probably move on to signatures, as they are quite important.


Ok, I’m taking care of old problems in the Nest at the moment, I really want to solve this issue. My main priority is to make the Nest compile on stable, which is almost the case.

I’m thinking of switching back to PGP for signatures, now that Sequoia-PGP is starting to look more stable.


How do signatures work now?

Although I’ve never written the paper, one could’ve forward security like properties for commit signatures:

Any repo has a secret key used to sign all commits, and also an internal signing public key mini-repo that tracks public key history. Any “key update” command creates a new secret key, commits its public key into the public key repo, implicitly signed with the old signing key, and then deletes the old signing key.

In other words, the public key repo gives forensic information from with one could study repo compromises, assuming key update commends get issues often enough. You could do them every commit, but less often saves resources.

In the pijul book there is no documentation for commit signing, isn’t there?