The first round is found at $gmane/255520. The second round is found at $gmane/255701. While signed tags and commits assert that the objects thusly signed came from you, who signed these objects, there is not a good way to assert that you wanted to have a particular object at the tip of a particular branch. My signing v2.0.1 tag only means I want to call the version v2.0.1, and it does not mean I want to push it out to my 'master' branch---it is likely that I only want it in 'maint', so the signature on the object alone is insufficient. The only assurance to you that 'maint' points at what I wanted to place there comes from your trust on the hosting site and my authentication with it, which cannot easily audited later. This series introduces a cryptographic assurance for ref updates done by "git push" by introducing a mechanism that allows you to sign a "push certificate" (for the lack of better name) every time you push. Think of it as working on an axis orthogonal to the traditional "signed tags". The second round exportedt GIT_PUSH_CERT, pointing at an empty blob, even when there was not any signed push going on, which has been corrected in this version. The last step of adding "nonce" still needs further thinking and tweaking (the issue is that inherently smart-http is not as secure as the native from replay-ability point of view; it needs to loosen "has any of our ref changed since I started talking with this 'git push'" check in receive-pack without this series already), but I think everything else is in pretty good shape. Junio C Hamano (21): receive-pack: do not overallocate command structure receive-pack: parse feature request a bit earlier receive-pack: do not reuse old_sha1[] for other things receive-pack: factor out queueing of command send-pack: move REF_STATUS_REJECT_NODELETE logic a bit higher send-pack: refactor decision to send update per ref send-pack: always send capabilities send-pack: factor out capability string generation receive-pack: factor out capability string generation send-pack: rename "new_refs" to "need_pack_data" send-pack: refactor inspecting and resetting status and sending commands send-pack: clarify that cmds_sent is a boolean gpg-interface: move parse_gpg_output() to where it should be gpg-interface: move parse_signature() to where it should be pack-protocol doc: typofix for PKT-LINE push: the beginning of "git push --signed" receive-pack: GPG-validate push certificates send-pack: send feature request on push-cert packet signed push: remove duplicated protocol info signed push: add "pushee" header to push certificate signed push: fortify against replay attacks Documentation/config.txt | 5 + Documentation/git-push.txt | 9 +- Documentation/git-receive-pack.txt | 41 +++- Documentation/technical/pack-protocol.txt | 49 ++++- Documentation/technical/protocol-capabilities.txt | 13 +- builtin/push.c | 1 + builtin/receive-pack.c | 219 ++++++++++++++++++---- commit.c | 36 ---- gpg-interface.c | 57 ++++++ gpg-interface.h | 18 +- send-pack.c | 202 +++++++++++++++----- send-pack.h | 2 + t/t5534-push-signed.sh | 96 ++++++++++ tag.c | 20 -- tag.h | 1 - transport.c | 5 + transport.h | 5 + 17 files changed, 630 insertions(+), 149 deletions(-) create mode 100755 t/t5534-push-signed.sh -- 2.1.0-399-g1364b4d -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html