The first round is found at $gmane/255520
While signed tags and commits assert that the objects thusly signed
came from you, who signed these objects, there is not a good way to
assert that you wanted to have a particular object at the tip of a
particular branch. My signing v2.0.1 tag only means I want to call
the version v2.0.1, and it does not mean I want to push it out to my
'master' branch---it is likely that I only want it in 'maint', so
the signature on the object alone is insufficient.
The only assurance to you that 'maint' points at what I wanted to
place there comes from your trust on the hosting site and my
authentication with it, which cannot easily audited later.
This series introduces a cryptographic assurance for ref updates
done by "git push" by introducing a mechanism that allows you to
sign a "push certificate" (for the lack of better name) every time
you push. Think of it as working on an axis orthogonal to the
traditional "signed tags".
Notable changes from the first iteration are:
- "push --signed" against a receiver that does not support push
certificates used to downgrade to an unsigned push with a
warning; this round makes it die.
- The push-cert capability the receiver sends now with a value,
<nonce>; the certificate must include this value on the "nonce"
header to prevent a valid push certificate that was used to push
elsewhere from being replayed to push to an unrelated repository.
And several typofixes here and there.
Junio C Hamano (19):
receive-pack: do not overallocate command structure
receive-pack: parse feature request a bit earlier
receive-pack: do not reuse old_sha1 for other things
receive-pack: factor out queueing of command
send-pack: move REF_STATUS_REJECT_NODELETE logic a bit higher
send-pack: refactor decision to send update per ref
send-pack: always send capabilities
send-pack: factor out capability string generation
send-pack: rename "new_refs" to "need_pack_data"
send-pack: refactor inspecting and resetting status and sending
send-pack: clarify that cmds_sent is a boolean
gpg-interface: move parse_gpg_output() to where it should be
gpg-interface: move parse_signature() to where it should be
pack-protocol doc: typofix for PKT-LINE
the beginning of the signed push
receive-pack: GPG-validate push certificates
send-pack: send feature request on push-cert packet
signed push: signed push: remove duplicated protocol info
signed push: fortify against replay attacks
Documentation/git-push.txt | 9 +-
Documentation/git-receive-pack.txt | 41 ++++-
Documentation/technical/pack-protocol.txt | 25 ++-
Documentation/technical/protocol-capabilities.txt | 13 +-
builtin/push.c | 1 +
builtin/receive-pack.c | 199 ++++++++++++++++++----
commit.c | 36 ----
gpg-interface.c | 57 +++++++
gpg-interface.h | 18 +-
send-pack.c | 197 ++++++++++++++++-----
send-pack.h | 1 +
t/t5534-push-signed.sh | 82 +++++++++
tag.c | 20 ---
tag.h | 1 -
transport.c | 4 +
transport.h | 5 +
16 files changed, 564 insertions(+), 145 deletions(-)
create mode 100755 t/t5534-push-signed.sh
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html