[PATCH v2 00/19] Signed push

[Junio C Hamano <gitster@pobox.com>]

The first round is found at $gmane/255520

While signed tags and commits assert that the objects thusly signed
came from you, who signed these objects, there is not a good way to
assert that you wanted to have a particular object at the tip of a
particular branch.  My signing v2.0.1 tag only means I want to call
the version v2.0.1, and it does not mean I want to push it out to my
'master' branch---it is likely that I only want it in 'maint', so
the signature on the object alone is insufficient.

The only assurance to you that 'maint' points at what I wanted to
place there comes from your trust on the hosting site and my
authentication with it, which cannot easily audited later.

This series introduces a cryptographic assurance for ref updates
done by "git push" by introducing a mechanism that allows you to
sign a "push certificate" (for the lack of better name) every time
you push.  Think of it as working on an axis orthogonal to the
traditional "signed tags".

Notable changes from the first iteration are:

 - "push --signed" against a receiver that does not support push
   certificates used to downgrade to an unsigned push with a
   warning; this round makes it die.

 - The push-cert capability the receiver sends now with a value,
   <nonce>; the certificate must include this value on the "nonce"
   header to prevent a valid push certificate that was used to push
   elsewhere from being replayed to push to an unrelated repository.

And several typofixes here and there.

Junio C Hamano (19):
  receive-pack: do not overallocate command structure
  receive-pack: parse feature request a bit earlier
  receive-pack: do not reuse old_sha1[] for other things
  receive-pack: factor out queueing of command
  send-pack: move REF_STATUS_REJECT_NODELETE logic a bit higher
  send-pack: refactor decision to send update per ref
  send-pack: always send capabilities
  send-pack: factor out capability string generation
  send-pack: rename "new_refs" to "need_pack_data"
  send-pack: refactor inspecting and resetting status and sending
    commands
  send-pack: clarify that cmds_sent is a boolean
  gpg-interface: move parse_gpg_output() to where it should be
  gpg-interface: move parse_signature() to where it should be
  pack-protocol doc: typofix for PKT-LINE
  the beginning of the signed push
  receive-pack: GPG-validate push certificates
  send-pack: send feature request on push-cert packet
  signed push: signed push: remove duplicated protocol info
  signed push: fortify against replay attacks

 Documentation/git-push.txt                        |   9 +-
 Documentation/git-receive-pack.txt                |  41 ++++-
 Documentation/technical/pack-protocol.txt         |  25 ++-
 Documentation/technical/protocol-capabilities.txt |  13 +-
 builtin/push.c                                    |   1 +
 builtin/receive-pack.c                            | 199 ++++++++++++++++++----
 commit.c                                          |  36 ----
 gpg-interface.c                                   |  57 +++++++
 gpg-interface.h                                   |  18 +-
 send-pack.c                                       | 197 ++++++++++++++++-----
 send-pack.h                                       |   1 +
 t/t5534-push-signed.sh                            |  82 +++++++++
 tag.c                                             |  20 ---
 tag.h                                             |   1 -
 transport.c                                       |   4 +
 transport.h                                       |   5 +
 16 files changed, 564 insertions(+), 145 deletions(-)
 create mode 100755 t/t5534-push-signed.sh

-- 
2.1.0-304-g950f846