From: Junio C Hamano <gitster@pobox.com>
To: Sitaram Chamarty <sitaramc@gmail.com>
Cc: "git\@vger.kernel.org" <git@vger.kernel.org>
Subject: Re: saving "git push --signed" certificate blobs
Date: Tue, 30 Dec 2014 09:48:45 -0800 [thread overview]
Message-ID: <xmqqiogtrptu.fsf@gitster.dls.corp.google.com> (raw)
In-Reply-To: <54A22586.70001@gmail.com> (Sitaram Chamarty's message of "Tue, 30 Dec 2014 09:39:42 +0530")
Sitaram Chamarty <sitaramc@gmail.com> writes:
> Just wanted to say there's a little script at [1] that saves the certificate
> blobs generated on the server side by "git push --signed".
>
> Quoting from the source:
>
> # Collects the cert blob on push and saves it, then, if a certain number of
> # signed pushes have been seen, processes all the "saved" blobs in one go,
> # adding them to the special ref 'refs/push-certs'. This is done in a way
> # that allows searching for all the certs pertaining to one specific branch
> # (thanks to Junio Hamano for this idea plus general brainstorming).
>
> Note that although I posted it in the gitolite ML, this has very little to do
> with gitolite. Any git server can use it, with only one very minor change [2]
> needed.
>
> sitaram
>
> [1]: https://groups.google.com/forum/#!topic/gitolite/7cSrU6JorEY
>
> [2]: Either set the GL_OPTIONS_GPC_PENDING environment variable by reading its
> value from 'git config', or replace the only line that uses that variable, with
> some other "test".
Nicely done.
We'd need to give you a tool to make it easy to create a "validated
chain of certificates" out of
$ git log refs/push-certs -- refs/heads/master
to make the history this script creates truly useful, but I think it
is a very good start.
I can see that you tried to make the log output "human readable" by
reformatting $cf, I am not sure if it gives us much value. I would
have expected that you would just use the blob contents for the log
message as-is, so that
$ git log --pretty=raw refs/push-certs -- refs/heads/master |
validate-cert-chain
can just work on blobs (shown in the "log" output) without having to
extract the blobs by doing something like
$ git rev-list refs/push-certs -- refs/heads/master |
while read commit
do
git cat-file blob $commit:refs/heads/master |
validate-cert
done
By the way, you seem to like "cat" too much, though. You don't have
to cat a single file into a pipeline.
Thanks.
next prev parent reply other threads:[~2014-12-30 17:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <54A10ED1.9020704@gmail.com>
2014-12-30 4:09 ` saving "git push --signed" certificate blobs Sitaram Chamarty
2014-12-30 17:48 ` Junio C Hamano [this message]
2015-01-01 1:59 ` Sitaram Chamarty
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqiogtrptu.fsf@gitster.dls.corp.google.com \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=sitaramc@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.