On Wed, Aug 20, 2014 at 9:56 AM, David Turner <dtur...@twopensource.com> wrote:
> On Tue, 2014-08-19 at 15:06 -0700, Junio C Hamano wrote:
>> Reusing the GPG signature check helpers we already have, verify
>> the signature in receive-pack and give the results to the hooks
>> via GIT_PUSH_CERT_{SIGNER,KEY,STATUS} environment variables.
>> Policy decisions, such as accepting or rejecting a good signature by
>> a key that is not fully trusted, is left to the hook and kept
>> outside of the core.
> If I understand correctly, the hook does not have enough information to
> make this decision, because it is missing the date from the signature.

The full certificate is available to the hook so anything we can do the hook
has enough information to do ;-)  But of course we should try to make it
easier for the hook to validate the request.

I am not opposed to extract the timestamp from pushed-by header in the cert
and export it in another environment before calling the hook, but I am not sure
it is worth it, as that is already a single liner text information.

> This might allow an old signed push to be replayed, moving the head of a
> branch to an older state (say, one lacking the latest security updates).

... with old-sha1 recorded in the certificate?
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to