[PATCH v3 00/21] Signed push

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The first round is found at $gmane/255520.
The second round is found at $gmane/255701.

While signed tags and commits assert that the objects thusly signed
came from you, who signed these objects, there is not a good way to
assert that you wanted to have a particular object at the tip of a
particular branch.  My signing v2.0.1 tag only means I want to call
the version v2.0.1, and it does not mean I want to push it out to my
'master' branch---it is likely that I only want it in 'maint', so
the signature on the object alone is insufficient.

The only assurance to you that 'maint' points at what I wanted to
place there comes from your trust on the hosting site and my
authentication with it, which cannot easily audited later.

This series introduces a cryptographic assurance for ref updates
done by "git push" by introducing a mechanism that allows you to
sign a "push certificate" (for the lack of better name) every time
you push.  Think of it as working on an axis orthogonal to the
traditional "signed tags".

The second round exportedt GIT_PUSH_CERT, pointing at an empty blob,
even when there was not any signed push going on, which has been
corrected in this version.

The last step of adding "nonce" still needs further thinking and
tweaking (the issue is that inherently smart-http is not as secure
as the native from replay-ability point of view; it needs to loosen
"has any of our ref changed since I started talking with this 'git
push'" check in receive-pack without this series already), but I
think everything else is in pretty good shape.

Junio C Hamano (21):
  receive-pack: do not overallocate command structure
  receive-pack: parse feature request a bit earlier
  receive-pack: do not reuse old_sha1[] for other things
  receive-pack: factor out queueing of command
  send-pack: move REF_STATUS_REJECT_NODELETE logic a bit higher
  send-pack: refactor decision to send update per ref
  send-pack: always send capabilities
  send-pack: factor out capability string generation
  receive-pack: factor out capability string generation
  send-pack: rename "new_refs" to "need_pack_data"
  send-pack: refactor inspecting and resetting status and sending commands
  send-pack: clarify that cmds_sent is a boolean
  gpg-interface: move parse_gpg_output() to where it should be
  gpg-interface: move parse_signature() to where it should be
  pack-protocol doc: typofix for PKT-LINE
  push: the beginning of "git push --signed"
  receive-pack: GPG-validate push certificates
  send-pack: send feature request on push-cert packet
  signed push: remove duplicated protocol info
  signed push: add "pushee" header to push certificate
  signed push: fortify against replay attacks

 Documentation/config.txt                          |   5 +
 Documentation/git-push.txt                        |   9 +-
 Documentation/git-receive-pack.txt                |  41 +++-
 Documentation/technical/pack-protocol.txt         |  49 ++++-
 Documentation/technical/protocol-capabilities.txt |  13 +-
 builtin/push.c                                    |   1 +
 builtin/receive-pack.c                            | 219 ++++++++++++++++++----
 commit.c                                          |  36 ----
 gpg-interface.c                                   |  57 ++++++
 gpg-interface.h                                   |  18 +-
 send-pack.c                                       | 202 +++++++++++++++-----
 send-pack.h                                       |   2 +
 t/t5534-push-signed.sh                            |  96 ++++++++++
 tag.c                                             |  20 --
 tag.h                                             |   1 -
 transport.c                                       |   5 +
 transport.h                                       |   5 +
 17 files changed, 630 insertions(+), 149 deletions(-)
 create mode 100755 t/t5534-push-signed.sh

-- 
2.1.0-399-g1364b4d

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]