Re: saving "git push --signed" certificate blobs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Sitaram Chamarty <sitaramc@xxxxxxxxx> writes:

> Just wanted to say there's a little script at [1] that saves the certificate
> blobs generated on the server side by "git push --signed".
>
> Quoting from the source:
>
> # Collects the cert blob on push and saves it, then, if a certain number of
> # signed pushes have been seen, processes all the "saved" blobs in one go,
> # adding them to the special ref 'refs/push-certs'.  This is done in a way
> # that allows searching for all the certs pertaining to one specific branch
> # (thanks to Junio Hamano for this idea plus general brainstorming).
>
> Note that although I posted it in the gitolite ML, this has very little to do
> with gitolite.  Any git server can use it, with only one very minor change [2]
> needed.
>
> sitaram
>
> [1]: https://groups.google.com/forum/#!topic/gitolite/7cSrU6JorEY
>
> [2]: Either set the GL_OPTIONS_GPC_PENDING environment variable by reading its
> value from 'git config', or replace the only line that uses that variable, with
> some other "test".

Nicely done.

We'd need to give you a tool to make it easy to create a "validated
chain of certificates" out of

    $ git log refs/push-certs -- refs/heads/master

to make the history this script creates truly useful, but I think it
is a very good start.

I can see that you tried to make the log output "human readable" by
reformatting $cf, I am not sure if it gives us much value.  I would
have expected that you would just use the blob contents for the log
message as-is, so that

    $ git log --pretty=raw refs/push-certs -- refs/heads/master |
      validate-cert-chain

can just work on blobs (shown in the "log" output) without having to
extract the blobs by doing something like

    $ git rev-list refs/push-certs -- refs/heads/master |
      while read commit
      do
		git cat-file blob $commit:refs/heads/master |
                validate-cert
      done

By the way, you seem to like "cat" too much, though.  You don't have
to cat a single file into a pipeline.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]