From: Junio C Hamano <gitster@pobox.com>
To: Shawn Pearce <spearce@spearce.org>
Cc: git <git@vger.kernel.org>
Subject: Re: [PATCH 18/18] signed push: final protocol update
Date: Thu, 21 Aug 2014 16:40:11 -0700 [thread overview]
Message-ID: <xmqqvbplpg2s.fsf@gitster.dls.corp.google.com> (raw)
In-Reply-To: <CAJo=hJuToRQDTkccV9BfVbs1YnjCrr2iPrG-HmTbJ=ds4r6MzA@mail.gmail.com> (Shawn Pearce's message of "Thu, 21 Aug 2014 12:28:05 -0700")
Shawn Pearce <spearce@spearce.org> writes:
> On Tue, Aug 19, 2014 at 3:06 PM, Junio C Hamano <gitster@pobox.com> wrote:
>>
>> + push-cert = PKT-LINE("push-cert" NUL capability-list LF)
>
> Haha. NUL. I love our wire protocol.
>
>> + PKT-LINE("certificate version 0.1" LF)
>> + PKT-LINE("pusher" ident LF)
>> + PKT-LINE(LF)
>> + *PKT-LINE(command LF)
>> + *PKT-LINE(GPG signature lines LF)
>
> Should we include the URL as part of this certificate?
>
> Perhaps the pusher means to sign the master branch of experimental
> tree, but not their trunk tree?
Yes, in $gmane/255582 I cover this and also mention that we would
need some "nonce" from the receiving end to make it harder to
replay.
Currently I am leaning toward to add both "pushed-to <URL>" and also
"nonce <nonce>", the latter of which the receiver can ask with
"push-cert=<nonce>" in its initial capability advertisement.
There are a few gotchas I can certainly use help on, especially from
a smart-http expert ;-).
* "pushed-to <URL>" will identify the site and the repository, so
you cannot MITM my push to an experimental server and replay it
against the authoritative server.
However, the receiving end may not even know what name its users
call the repository being pushed into. Obviously gethostname()
may not be what the pusher called us, and getcwd() may not match
the repository name without leading "/var/repos/shard3/" path
components stripped, for example.
I am not sure if we even have the necessary information at
send-pack.c::send_pack() level, where it already has an
established connection to the server (hence it does not need to
know to whom it is talking to).
* The receiving end will issue "push-cert=<nonce>" in its initial
capability advertisement, and this <nonce> will be given on the
PUSH_CERT_NONCE environment to the pre/post-receive hooks, to
allow the "nonce <nonce>" header in the signed certificate to be
checked against it. You cannot capture my an earlier push to the
authoritative server and replay it later.
That would all work well within a single receive-pack process,
but with "stateless" RPC, it is unclear to me how we should
arrange the <nonce> the initial instance of receive-pack placed
on its capability advertisement to be securely passed to the
instance of receive-pack that actually receives the push
certificate.
next prev parent reply other threads:[~2014-08-21 23:40 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-19 22:06 [PATCH 00/18] Signed push Junio C Hamano
2014-08-19 22:06 ` [PATCH 01/18] receive-pack: do not overallocate command structure Junio C Hamano
2014-08-19 22:06 ` [PATCH 02/18] receive-pack: parse feature request a bit earlier Junio C Hamano
2014-08-19 22:31 ` Junio C Hamano
2014-08-19 22:06 ` [PATCH 03/18] receive-pack: do not reuse old_sha1[] to other things Junio C Hamano
2014-08-19 22:32 ` Junio C Hamano
2014-08-19 22:06 ` [PATCH 04/18] receive-pack: factor out queueing of command Junio C Hamano
2014-08-19 22:06 ` [PATCH 05/18] send-pack: move REF_STATUS_REJECT_NODELETE logic a bit higher Junio C Hamano
2014-08-19 22:06 ` [PATCH 06/18] send-pack: refactor decision to send update per ref Junio C Hamano
2014-08-19 22:06 ` [PATCH 07/18] send-pack: always send capabilities Junio C Hamano
2014-08-19 22:06 ` [PATCH 08/18] send-pack: factor out capability string generation Junio C Hamano
2014-08-19 22:06 ` [PATCH 09/18] send-pack: rename "new_refs" to "need_pack_data" Junio C Hamano
2014-08-19 22:06 ` [PATCH 10/18] send-pack: refactor inspecting and resetting status and sending commands Junio C Hamano
2014-08-19 22:06 ` [PATCH 11/18] send-pack: clarify that cmds_sent is a boolean Junio C Hamano
2014-08-19 22:06 ` [PATCH 12/18] gpg-interface: move parse_gpg_output() to where it should be Junio C Hamano
2014-08-19 22:06 ` [PATCH 13/18] gpg-interface: move parse_signature() " Junio C Hamano
2014-08-19 22:06 ` [PATCH 14/18] pack-protocol doc: typofix for PKT-LINE Junio C Hamano
2014-08-19 22:06 ` [PATCH 15/18] the beginning of the signed push Junio C Hamano
2014-08-20 2:48 ` brian m. carlson
2014-08-20 6:57 ` Bert Wesarg
2014-08-20 23:41 ` Junio C Hamano
2014-08-19 22:06 ` [PATCH 16/18] receive-pack: GPG-validate push certificates Junio C Hamano
2014-08-20 16:56 ` David Turner
2014-08-20 17:29 ` Junio C Hamano
2014-08-20 17:56 ` David Turner
2014-08-20 19:38 ` Junio C Hamano
2014-08-21 23:59 ` David Turner
2014-08-22 0:11 ` Junio C Hamano
2014-08-19 22:06 ` [PATCH 17/18] send-pack: send feature request on push-cert packet Junio C Hamano
2014-08-19 22:06 ` [PATCH 18/18] signed push: final protocol update Junio C Hamano
2014-08-21 19:28 ` Shawn Pearce
2014-08-21 23:40 ` Junio C Hamano [this message]
2014-08-22 3:06 ` Kyle J. McKay
2014-08-22 17:59 ` Junio C Hamano
2014-08-22 23:54 ` Shawn Pearce
2014-08-25 17:59 ` Junio C Hamano
2014-08-26 17:33 ` Shawn Pearce
2014-08-26 19:38 ` Junio C Hamano
2014-08-26 19:52 ` Junio C Hamano
2014-09-04 23:57 ` Junio C Hamano
2014-09-05 2:41 ` Shawn Pearce
2014-08-22 4:20 ` Junio C Hamano
2014-08-22 0:22 ` David Turner
2014-08-19 23:07 ` [PATCH 00/18] Signed push Duy Nguyen
2014-08-19 23:29 ` Junio C Hamano
2014-08-20 1:19 ` Nico Williams
2014-08-20 2:54 ` Junio C Hamano
2014-08-20 5:57 ` Junio C Hamano
2014-08-20 2:39 ` Junio C Hamano
2014-08-20 6:28 ` Nico Williams
2014-08-22 19:59 ` Stefan Beller
2014-08-22 20:03 ` Junio C Hamano
2014-08-22 20:22 ` Stefan Beller
2014-08-22 20:33 ` Junio C Hamano
2014-08-22 20:38 ` Stefan Beller
2014-08-22 22:32 ` Junio C Hamano
2014-08-22 22:51 ` Stefan Beller
2014-08-25 17:54 ` Junio C Hamano
2014-08-25 18:38 ` Jason Pyeron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqvbplpg2s.fsf@gitster.dls.corp.google.com \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=spearce@spearce.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).