From: David Turner <dturner@twopensource.com>
To: Junio C Hamano <gitster@pobox.com>
Cc: Git Mailing List <git@vger.kernel.org>
Subject: Re: [PATCH 16/18] receive-pack: GPG-validate push certificates
Date: Wed, 20 Aug 2014 13:56:48 -0400 [thread overview]
Message-ID: <1408557408.1282.5.camel@leckie> (raw)
In-Reply-To: <CAPc5daXLBQdjPaWNxmwZqStiWu8qHRfDG6=JS=bhbzA+c5Ww5g@mail.gmail.com>
On Wed, 2014-08-20 at 10:29 -0700, Junio C Hamano wrote:
> On Wed, Aug 20, 2014 at 9:56 AM, David Turner <dturner@twopensource.com> wrote:
> > On Tue, 2014-08-19 at 15:06 -0700, Junio C Hamano wrote:
> >> Reusing the GPG signature check helpers we already have, verify
> >> the signature in receive-pack and give the results to the hooks
> >> via GIT_PUSH_CERT_{SIGNER,KEY,STATUS} environment variables.
> >>
> >> Policy decisions, such as accepting or rejecting a good signature by
> >> a key that is not fully trusted, is left to the hook and kept
> >> outside of the core.
> >
> > If I understand correctly, the hook does not have enough information to
> > make this decision, because it is missing the date from the signature.
>
> The full certificate is available to the hook so anything we can do the hook
> has enough information to do ;-) But of course we should try to make it
> easier for the hook to validate the request.
Excellent, then motivated hooks can do the right thing.
> > This might allow an old signed push to be replayed, moving the head of a
> > branch to an older state (say, one lacking the latest security updates).
>
> ... with old-sha1 recorded in the certificate?
That does prevent most replays, but it does not prevent resurrection of
a deleted branch by a replay of its initial creation (nor an undo of a
force-push to rollback). So I think we still need timestamps, but
parsing them out of the cert is not terrible.
next prev parent reply other threads:[~2014-08-20 17:56 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-19 22:06 [PATCH 00/18] Signed push Junio C Hamano
2014-08-19 22:06 ` [PATCH 01/18] receive-pack: do not overallocate command structure Junio C Hamano
2014-08-19 22:06 ` [PATCH 02/18] receive-pack: parse feature request a bit earlier Junio C Hamano
2014-08-19 22:31 ` Junio C Hamano
2014-08-19 22:06 ` [PATCH 03/18] receive-pack: do not reuse old_sha1[] to other things Junio C Hamano
2014-08-19 22:32 ` Junio C Hamano
2014-08-19 22:06 ` [PATCH 04/18] receive-pack: factor out queueing of command Junio C Hamano
2014-08-19 22:06 ` [PATCH 05/18] send-pack: move REF_STATUS_REJECT_NODELETE logic a bit higher Junio C Hamano
2014-08-19 22:06 ` [PATCH 06/18] send-pack: refactor decision to send update per ref Junio C Hamano
2014-08-19 22:06 ` [PATCH 07/18] send-pack: always send capabilities Junio C Hamano
2014-08-19 22:06 ` [PATCH 08/18] send-pack: factor out capability string generation Junio C Hamano
2014-08-19 22:06 ` [PATCH 09/18] send-pack: rename "new_refs" to "need_pack_data" Junio C Hamano
2014-08-19 22:06 ` [PATCH 10/18] send-pack: refactor inspecting and resetting status and sending commands Junio C Hamano
2014-08-19 22:06 ` [PATCH 11/18] send-pack: clarify that cmds_sent is a boolean Junio C Hamano
2014-08-19 22:06 ` [PATCH 12/18] gpg-interface: move parse_gpg_output() to where it should be Junio C Hamano
2014-08-19 22:06 ` [PATCH 13/18] gpg-interface: move parse_signature() " Junio C Hamano
2014-08-19 22:06 ` [PATCH 14/18] pack-protocol doc: typofix for PKT-LINE Junio C Hamano
2014-08-19 22:06 ` [PATCH 15/18] the beginning of the signed push Junio C Hamano
2014-08-20 2:48 ` brian m. carlson
2014-08-20 6:57 ` Bert Wesarg
2014-08-20 23:41 ` Junio C Hamano
2014-08-19 22:06 ` [PATCH 16/18] receive-pack: GPG-validate push certificates Junio C Hamano
2014-08-20 16:56 ` David Turner
2014-08-20 17:29 ` Junio C Hamano
2014-08-20 17:56 ` David Turner [this message]
2014-08-20 19:38 ` Junio C Hamano
2014-08-21 23:59 ` David Turner
2014-08-22 0:11 ` Junio C Hamano
2014-08-19 22:06 ` [PATCH 17/18] send-pack: send feature request on push-cert packet Junio C Hamano
2014-08-19 22:06 ` [PATCH 18/18] signed push: final protocol update Junio C Hamano
2014-08-21 19:28 ` Shawn Pearce
2014-08-21 23:40 ` Junio C Hamano
2014-08-22 3:06 ` Kyle J. McKay
2014-08-22 17:59 ` Junio C Hamano
2014-08-22 23:54 ` Shawn Pearce
2014-08-25 17:59 ` Junio C Hamano
2014-08-26 17:33 ` Shawn Pearce
2014-08-26 19:38 ` Junio C Hamano
2014-08-26 19:52 ` Junio C Hamano
2014-09-04 23:57 ` Junio C Hamano
2014-09-05 2:41 ` Shawn Pearce
2014-08-22 4:20 ` Junio C Hamano
2014-08-22 0:22 ` David Turner
2014-08-19 23:07 ` [PATCH 00/18] Signed push Duy Nguyen
2014-08-19 23:29 ` Junio C Hamano
2014-08-20 1:19 ` Nico Williams
2014-08-20 2:54 ` Junio C Hamano
2014-08-20 5:57 ` Junio C Hamano
2014-08-20 2:39 ` Junio C Hamano
2014-08-20 6:28 ` Nico Williams
2014-08-22 19:59 ` Stefan Beller
2014-08-22 20:03 ` Junio C Hamano
2014-08-22 20:22 ` Stefan Beller
2014-08-22 20:33 ` Junio C Hamano
2014-08-22 20:38 ` Stefan Beller
2014-08-22 22:32 ` Junio C Hamano
2014-08-22 22:51 ` Stefan Beller
2014-08-25 17:54 ` Junio C Hamano
2014-08-25 18:38 ` Jason Pyeron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1408557408.1282.5.camel@leckie \
--to=dturner@twopensource.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).