From: Junio C Hamano <gitster@pobox.com>
To: git@vger.kernel.org
Subject: [PATCH 00/18] Signed push
Date: Tue, 19 Aug 2014 15:06:09 -0700 [thread overview]
Message-ID: <1408485987-3590-1-git-send-email-gitster@pobox.com> (raw)
While signed tags and commits assert that the objects thusly signed
came from you, who signed these objects, there is not a good way to
assert that you wanted to have a particular object at the tip of a
particular branch. My signing v2.0.1 tag only means I want to call
the version v2.0.1, and it does not mean I want to push it out to my
'master' branch---it is likely that I only want it in 'maint', so
the signature on the object alone is insufficient.
The only assurance to you that 'maint' points at what I wanted to
place there comes from your trust on the hosting site and my
authentication with it, which cannot easily audited later.
This series introduces a cryptographic assurance for ref updates
done by "git push" by introducing a mechanism that allows you to
sign a "push certificate" (for the lack of better name) every time
you push. Think of it as working on an axis orthogonal to the
traditional "signed tags".
The most interesting part starts at 15/18; everything that precedes
that patch are preparatory clean-ups.
[PATCH 15/18] the beginning of the signed push
This step presents the basic idea. If you remember the
underlying "git push" protocol exchange, it goes like this:
- The server advertises the existing refs and where they
point at, and the capabilities the server supports;
- The "git push" client sends update commands (one or more
"old-sha1 new-sha1 refname") followed by the pack data;
- The server unpacks and updates the refname to point at
new-sha1.
We introduce "push-cert" capability, and allow the client to
sign the "update commands" it will send to the server and
send this signature using the new "push-cert" command.
This certificate is exported to the pre/post-receive hooks
of the server, so that the pre-receive hook can GPG validate
(and possibly reject a bad push); post-receive hook can log
the certificate.
[PATCH 16/18] receive-pack: GPG-validate push certificates
This step builds a native GPG validation into the server to
help the pre-receive hook. The signature is verified
against the GPG keychain the server uses (it is likely that
you would want to set and export GNUPGHOME when starting
your server), and verification result is given to the
pre/post-receive hook.
[PATCH 17/18] send-pack: send feature request on push-cert packet
[PATCH 18/18] signed push: final protocol update
With the protocol introduced in 15/18, the update commands
and the push certificate record the same information twice;
the protocol was kept inefficient to make it easier to
review the changes.
These two steps updates the protocol to the final version,
which does not to send the update commands when a push
certificate is in use.
If the server's GPG keychain and pre-receive hook are properly set
up, a "git push --signed" over an unauthenticated and unencrypted
communication channel (aka "git daemon") can be made as secure as,
and even more secure than, the authenticated "git push ssh://".
With the signed push certificate, together with the connectivity
check done when the server accepts the packed data, we are assured
that the trusted user vouches for the history leading to the
proposed tips of refs (aka "new-sha1"s), and a man-in-the-middle
would not be able to make the server accept an update altered in
transit.
Junio C Hamano (18):
receive-pack: do not overallocate command structure
receive-pack: parse feature request a bit earlier
receive-pack: do not reuse old_sha1[] to other things
receive-pack: factor out queueing of command
send-pack: move REF_STATUS_REJECT_NODELETE logic a bit higher
send-pack: refactor decision to send update per ref
send-pack: always send capabilities
send-pack: factor out capability string generation
send-pack: rename "new_refs" to "need_pack_data"
send-pack: refactor inspecting and resetting status and sending commands
send-pack: clarify that cmds_sent is a boolean
gpg-interface: move parse_gpg_output() to where it should be
gpg-interface: move parse_signature() to where it should be
pack-protocol doc: typofix for PKT-LINE
the beginning of the signed push
receive-pack: GPG-validate push certificates
send-pack: send feature request on push-cert packet
signed push: final protocol update
Documentation/git-push.txt | 9 +-
Documentation/git-receive-pack.txt | 30 +++-
Documentation/technical/pack-protocol.txt | 24 ++-
Documentation/technical/protocol-capabilities.txt | 12 +-
builtin/push.c | 1 +
builtin/receive-pack.c | 161 +++++++++++++++---
commit.c | 36 -----
gpg-interface.c | 57 +++++++
gpg-interface.h | 18 ++-
send-pack.c | 188 ++++++++++++++++------
send-pack.h | 1 +
t/t5534-push-signed.sh | 77 +++++++++
tag.c | 20 ---
tag.h | 1 -
transport.c | 4 +
transport.h | 5 +
16 files changed, 502 insertions(+), 142 deletions(-)
create mode 100755 t/t5534-push-signed.sh
--
2.1.0-301-g54593e2
next reply other threads:[~2014-08-19 22:06 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-19 22:06 Junio C Hamano [this message]
2014-08-19 22:06 ` [PATCH 01/18] receive-pack: do not overallocate command structure Junio C Hamano
2014-08-19 22:06 ` [PATCH 02/18] receive-pack: parse feature request a bit earlier Junio C Hamano
2014-08-19 22:31 ` Junio C Hamano
2014-08-19 22:06 ` [PATCH 03/18] receive-pack: do not reuse old_sha1[] to other things Junio C Hamano
2014-08-19 22:32 ` Junio C Hamano
2014-08-19 22:06 ` [PATCH 04/18] receive-pack: factor out queueing of command Junio C Hamano
2014-08-19 22:06 ` [PATCH 05/18] send-pack: move REF_STATUS_REJECT_NODELETE logic a bit higher Junio C Hamano
2014-08-19 22:06 ` [PATCH 06/18] send-pack: refactor decision to send update per ref Junio C Hamano
2014-08-19 22:06 ` [PATCH 07/18] send-pack: always send capabilities Junio C Hamano
2014-08-19 22:06 ` [PATCH 08/18] send-pack: factor out capability string generation Junio C Hamano
2014-08-19 22:06 ` [PATCH 09/18] send-pack: rename "new_refs" to "need_pack_data" Junio C Hamano
2014-08-19 22:06 ` [PATCH 10/18] send-pack: refactor inspecting and resetting status and sending commands Junio C Hamano
2014-08-19 22:06 ` [PATCH 11/18] send-pack: clarify that cmds_sent is a boolean Junio C Hamano
2014-08-19 22:06 ` [PATCH 12/18] gpg-interface: move parse_gpg_output() to where it should be Junio C Hamano
2014-08-19 22:06 ` [PATCH 13/18] gpg-interface: move parse_signature() " Junio C Hamano
2014-08-19 22:06 ` [PATCH 14/18] pack-protocol doc: typofix for PKT-LINE Junio C Hamano
2014-08-19 22:06 ` [PATCH 15/18] the beginning of the signed push Junio C Hamano
2014-08-20 2:48 ` brian m. carlson
2014-08-20 6:57 ` Bert Wesarg
2014-08-20 23:41 ` Junio C Hamano
2014-08-19 22:06 ` [PATCH 16/18] receive-pack: GPG-validate push certificates Junio C Hamano
2014-08-20 16:56 ` David Turner
2014-08-20 17:29 ` Junio C Hamano
2014-08-20 17:56 ` David Turner
2014-08-20 19:38 ` Junio C Hamano
2014-08-21 23:59 ` David Turner
2014-08-22 0:11 ` Junio C Hamano
2014-08-19 22:06 ` [PATCH 17/18] send-pack: send feature request on push-cert packet Junio C Hamano
2014-08-19 22:06 ` [PATCH 18/18] signed push: final protocol update Junio C Hamano
2014-08-21 19:28 ` Shawn Pearce
2014-08-21 23:40 ` Junio C Hamano
2014-08-22 3:06 ` Kyle J. McKay
2014-08-22 17:59 ` Junio C Hamano
2014-08-22 23:54 ` Shawn Pearce
2014-08-25 17:59 ` Junio C Hamano
2014-08-26 17:33 ` Shawn Pearce
2014-08-26 19:38 ` Junio C Hamano
2014-08-26 19:52 ` Junio C Hamano
2014-09-04 23:57 ` Junio C Hamano
2014-09-05 2:41 ` Shawn Pearce
2014-08-22 4:20 ` Junio C Hamano
2014-08-22 0:22 ` David Turner
2014-08-19 23:07 ` [PATCH 00/18] Signed push Duy Nguyen
2014-08-19 23:29 ` Junio C Hamano
2014-08-20 1:19 ` Nico Williams
2014-08-20 2:54 ` Junio C Hamano
2014-08-20 5:57 ` Junio C Hamano
2014-08-20 2:39 ` Junio C Hamano
2014-08-20 6:28 ` Nico Williams
2014-08-22 19:59 ` Stefan Beller
2014-08-22 20:03 ` Junio C Hamano
2014-08-22 20:22 ` Stefan Beller
2014-08-22 20:33 ` Junio C Hamano
2014-08-22 20:38 ` Stefan Beller
2014-08-22 22:32 ` Junio C Hamano
2014-08-22 22:51 ` Stefan Beller
2014-08-25 17:54 ` Junio C Hamano
2014-08-25 18:38 ` Jason Pyeron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1408485987-3590-1-git-send-email-gitster@pobox.com \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).