Skip to content

Commit a85b377

Browse files
committed
push: the beginning of "git push --signed"
While signed tags and commits assert that the objects thusly signed came from you, who signed these objects, there is not a good way to assert that you wanted to have a particular object at the tip of a particular branch. My signing v2.0.1 tag only means I want to call the version v2.0.1, and it does not mean I want to push it out to my 'master' branch---it is likely that I only want it in 'maint', so the signature on the object alone is insufficient. The only assurance to you that 'maint' points at what I wanted to place there comes from your trust on the hosting site and my authentication with it, which cannot easily audited later. Introduce a mechanism that allows you to sign a "push certificate" (for the lack of better name) every time you push, asserting that what object you are pushing to update which ref that used to point at what other object. Think of it as a cryptographic protection for ref updates, similar to signed tags/commits but working on an orthogonal axis. The basic flow based on this mechanism goes like this: 1. You push out your work with "git push --signed". 2. The sending side learns where the remote refs are as usual, together with what protocol extension the receiving end supports. If the receiving end does not advertise the protocol extension "push-cert", an attempt to "git push --signed" fails. Otherwise, a text file, that looks like the following, is prepared in core: certificate version 0.1 pusher Junio C Hamano <gitster@pobox.com> 1315427886 -0700 7339ca65... 21580ecb... refs/heads/master 3793ac5... 12850be... refs/heads/next The file begins with a few header lines, which may grow as we gain more experience. The 'pusher' header records the name of the signer (the value of user.signingkey configuration variable, falling back to GIT_COMMITTER_{NAME|EMAIL}) and the time of the certificate generation. After the header, a blank line follows, followed by a copy of the protocol message lines. Each line shows the old and the new object name at the tip of the ref this push tries to update, in the way identical to how the underlying "git push" protocol exchange tells the ref updates to the receiving end (by recording the "old" object name, the push certificate also protects against replaying). It is expected that new command packet types other than the old-new-refname kind will be included in push certificate in the same way as would appear in the plain vanilla command packets in unsigned pushes. The user then is asked to sign this push certificate using GPG, formatted in a way similar to how signed tag objects are signed, and the result is sent to the other side (i.e. receive-pack). In the protocol exchange, this step comes immediately before the sender tells what the result of the push should be, which in turn comes before it sends the pack data. 3. When the receiving end sees a push certificate, the certificate is written out as a blob. The pre-receive hook can learn about the certificate by checking GIT_PUSH_CERT environment variable, which, if present, tells the object name of this blob, and make the decision to allow or reject this push. Additionally, the post-receive hook can also look at the certificate, which may be a good place to log all the received certificates for later audits. Because a push certificate carry the same information as the usual command packets in the protocol exchange, we can omit the latter when a push certificate is in use and reduce the protocol overhead. This however is not included in this patch to make it easier to review (in other words, the series at this step should never be released without the remainder of the series, as it implements an interim protocol that will be incompatible with the final one). As such, the documentation update for the protocol is left out of this step. Signed-off-by: Junio C Hamano <gitster@pobox.com>
1 parent e543b3f commit a85b377

File tree

10 files changed

+253
-2
lines changed

10 files changed

+253
-2
lines changed

Documentation/config.txt

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2038,6 +2038,12 @@ rebase.autostash::
20382038
successful rebase might result in non-trivial conflicts.
20392039
Defaults to false.
20402040

2041+
receive.acceptpushcert::
2042+
By default, `git receive-pack` will advertise that it
2043+
accepts `git push --signed`. Setting this variable to
2044+
false disables it (this is a tentative variable that
2045+
will go away at the end of this series).
2046+
20412047
receive.autogc::
20422048
By default, git-receive-pack will run "git-gc --auto" after
20432049
receiving data from git-push and updating refs. You can stop

Documentation/git-push.txt

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,8 @@ SYNOPSIS
1010
--------
1111
[verse]
1212
'git push' [--all | --mirror | --tags] [--follow-tags] [-n | --dry-run] [--receive-pack=<git-receive-pack>]
13-
[--repo=<repository>] [-f | --force] [--prune] [-v | --verbose] [-u | --set-upstream]
13+
[--repo=<repository>] [-f | --force] [--prune] [-v | --verbose]
14+
[-u | --set-upstream] [--signed]
1415
[--force-with-lease[=<refname>[:<expect>]]]
1516
[--no-verify] [<repository> [<refspec>...]]
1617

@@ -129,6 +130,12 @@ already exists on the remote side.
129130
from the remote but are pointing at commit-ish that are
130131
reachable from the refs being pushed.
131132

133+
--signed::
134+
GPG-sign the push request to update refs on the receiving
135+
side, to allow it to be checked by the hooks and/or be
136+
logged. See linkgit:git-receive-pack[1] for the details
137+
on the receiving end.
138+
132139
--receive-pack=<git-receive-pack>::
133140
--exec=<git-receive-pack>::
134141
Path to the 'git-receive-pack' program on the remote

Documentation/git-receive-pack.txt

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,11 @@ the update. Refs to be created will have sha1-old equal to 0\{40},
5353
while refs to be deleted will have sha1-new equal to 0\{40}, otherwise
5454
sha1-old and sha1-new should be valid objects in the repository.
5555

56+
When accepting a signed push (see linkgit:git-push[1]), the signed
57+
push certificate is stored in a blob and an environment variable
58+
`GIT_PUSH_CERT` can be consulted for its object name. See the
59+
description of `post-receive` hook for an example.
60+
5661
This hook is called before any refname is updated and before any
5762
fast-forward checks are performed.
5863

@@ -101,9 +106,14 @@ the update. Refs that were created will have sha1-old equal to
101106
0\{40}, otherwise sha1-old and sha1-new should be valid objects in
102107
the repository.
103108

109+
The `GIT_PUSH_CERT` environment variable can be inspected, just as
110+
in `pre-receive` hook, after accepting a signed push.
111+
104112
Using this hook, it is easy to generate mails describing the updates
105113
to the repository. This example script sends one mail message per
106-
ref listing the commits pushed to the repository:
114+
ref listing the commits pushed to the repository, and logs the push
115+
certificates of signed pushes to a logger
116+
service:
107117

108118
#!/bin/sh
109119
# mail out commit update information.
@@ -119,6 +129,13 @@ ref listing the commits pushed to the repository:
119129
fi |
120130
mail -s "Changes to ref $ref" commit-list@mydomain
121131
done
132+
# log signed push certificate, if any
133+
if test -n "${GIT_PUSH_CERT-}"
134+
then
135+
(
136+
git cat-file blob ${GIT_PUSH_CERT}
137+
) | mail -s "push certificate" push-log@mydomain
138+
fi
122139
exit 0
123140

124141
The exit code from this hook invocation is ignored, however a

builtin/push.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -506,6 +506,7 @@ int cmd_push(int argc, const char **argv, const char *prefix)
506506
OPT_BIT(0, "no-verify", &flags, N_("bypass pre-push hook"), TRANSPORT_PUSH_NO_HOOK),
507507
OPT_BIT(0, "follow-tags", &flags, N_("push missing but relevant tags"),
508508
TRANSPORT_PUSH_FOLLOW_TAGS),
509+
OPT_BIT(0, "signed", &flags, N_("GPG sign the push"), TRANSPORT_PUSH_CERT),
509510
OPT_END()
510511
};
511512

builtin/receive-pack.c

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,9 @@ static void *head_name_to_free;
4646
static int sent_capabilities;
4747
static int shallow_update;
4848
static const char *alt_shallow_file;
49+
static int accept_push_cert = 1;
50+
static struct strbuf push_cert = STRBUF_INIT;
51+
static unsigned char push_cert_sha1[20];
4952

5053
static enum deny_action parse_deny_action(const char *var, const char *value)
5154
{
@@ -129,6 +132,11 @@ static int receive_pack_config(const char *var, const char *value, void *cb)
129132
return 0;
130133
}
131134

135+
if (strcmp(var, "receive.acceptpushcert") == 0) {
136+
accept_push_cert = git_config_bool(var, value);
137+
return 0;
138+
}
139+
132140
return git_default_config(var, value, cb);
133141
}
134142

@@ -146,6 +154,8 @@ static void show_ref(const char *path, const unsigned char *sha1)
146154
"report-status delete-refs side-band-64k quiet");
147155
if (prefer_ofs_delta)
148156
strbuf_addstr(&cap, " ofs-delta");
157+
if (accept_push_cert)
158+
strbuf_addstr(&cap, " push-cert");
149159
strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
150160
packet_write(1, "%s %s%c%s\n",
151161
sha1_to_hex(sha1), path, 0, cap.buf);
@@ -258,6 +268,25 @@ static int copy_to_sideband(int in, int out, void *arg)
258268
return 0;
259269
}
260270

271+
static void prepare_push_cert_sha1(struct child_process *proc)
272+
{
273+
static int already_done;
274+
struct argv_array env = ARGV_ARRAY_INIT;
275+
276+
if (!push_cert.len)
277+
return;
278+
279+
if (!already_done) {
280+
already_done = 1;
281+
if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
282+
hashclr(push_cert_sha1);
283+
}
284+
if (!is_null_sha1(push_cert_sha1)) {
285+
argv_array_pushf(&env, "GIT_PUSH_CERT=%s", sha1_to_hex(push_cert_sha1));
286+
proc->env = env.argv;
287+
}
288+
}
289+
261290
typedef int (*feed_fn)(void *, const char **, size_t *);
262291
static int run_and_feed_hook(const char *hook_name, feed_fn feed, void *feed_state)
263292
{
@@ -277,6 +306,8 @@ static int run_and_feed_hook(const char *hook_name, feed_fn feed, void *feed_sta
277306
proc.in = -1;
278307
proc.stdout_to_stderr = 1;
279308

309+
prepare_push_cert_sha1(&proc);
310+
280311
if (use_sideband) {
281312
memset(&muxer, 0, sizeof(muxer));
282313
muxer.proc = copy_to_sideband;
@@ -896,6 +927,27 @@ static struct command *read_head_info(struct sha1_array *shallow)
896927
quiet = 1;
897928
}
898929

930+
if (!strcmp(line, "push-cert")) {
931+
int true_flush = 0;
932+
char certbuf[1024];
933+
934+
for (;;) {
935+
len = packet_read(0, NULL, NULL,
936+
certbuf, sizeof(certbuf), 0);
937+
if (!len) {
938+
true_flush = 1;
939+
break;
940+
}
941+
if (!strcmp(certbuf, "push-cert-end\n"))
942+
break; /* end of cert */
943+
strbuf_addstr(&push_cert, certbuf);
944+
}
945+
946+
if (true_flush)
947+
break;
948+
continue;
949+
}
950+
899951
p = queue_command(p, line, linelen);
900952
}
901953
return commands;

send-pack.c

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111
#include "transport.h"
1212
#include "version.h"
1313
#include "sha1-array.h"
14+
#include "gpg-interface.h"
1415

1516
static int feed_object(const unsigned char *sha1, int fd, int negative)
1617
{
@@ -210,6 +211,64 @@ static int ref_update_to_be_sent(const struct ref *ref, const struct send_pack_a
210211
}
211212
}
212213

214+
/*
215+
* the beginning of the next line, or the end of buffer.
216+
*
217+
* NEEDSWORK: perhaps move this to git-compat-util.h or somewhere and
218+
* convert many similar uses found by "git grep -A4 memchr".
219+
*/
220+
static const char *next_line(const char *line, size_t len)
221+
{
222+
const char *nl = memchr(line, '\n', len);
223+
if (!nl)
224+
return line + len; /* incomplete line */
225+
return nl + 1;
226+
}
227+
228+
static void generate_push_cert(struct strbuf *req_buf,
229+
const struct ref *remote_refs,
230+
struct send_pack_args *args)
231+
{
232+
const struct ref *ref;
233+
char stamp[60];
234+
char *signing_key = xstrdup(get_signing_key());
235+
const char *cp, *np;
236+
struct strbuf cert = STRBUF_INIT;
237+
int update_seen = 0;
238+
239+
datestamp(stamp, sizeof(stamp));
240+
strbuf_addf(&cert, "certificate version 0.1\n");
241+
strbuf_addf(&cert, "pusher %s %s\n", signing_key, stamp);
242+
strbuf_addstr(&cert, "\n");
243+
244+
for (ref = remote_refs; ref; ref = ref->next) {
245+
if (!ref_update_to_be_sent(ref, args))
246+
continue;
247+
update_seen = 1;
248+
strbuf_addf(&cert, "%s %s %s\n",
249+
sha1_to_hex(ref->old_sha1),
250+
sha1_to_hex(ref->new_sha1),
251+
ref->name);
252+
}
253+
if (!update_seen)
254+
goto free_return;
255+
256+
if (sign_buffer(&cert, &cert, signing_key))
257+
die(_("failed to sign the push certificate"));
258+
259+
packet_buf_write(req_buf, "push-cert\n");
260+
for (cp = cert.buf; cp < cert.buf + cert.len; cp = np) {
261+
np = next_line(cp, cert.buf + cert.len - cp);
262+
packet_buf_write(req_buf,
263+
"%.*s", (int)(np - cp), cp);
264+
}
265+
packet_buf_write(req_buf, "push-cert-end\n");
266+
267+
free_return:
268+
free(signing_key);
269+
strbuf_release(&cert);
270+
}
271+
213272
int send_pack(struct send_pack_args *args,
214273
int fd[], struct child_process *conn,
215274
struct ref *remote_refs,
@@ -245,6 +304,8 @@ int send_pack(struct send_pack_args *args,
245304
agent_supported = 1;
246305
if (server_supports("no-thin"))
247306
args->use_thin_pack = 0;
307+
if (args->push_cert && !server_supports("push-cert"))
308+
die(_("the receiving end does not support --signed push"));
248309

249310
if (!remote_refs) {
250311
fprintf(stderr, "No refs in common and none specified; doing nothing.\n"
@@ -273,6 +334,9 @@ int send_pack(struct send_pack_args *args,
273334
if (!args->dry_run)
274335
advertise_shallow_grafts_buf(&req_buf);
275336

337+
if (!args->dry_run && args->push_cert)
338+
generate_push_cert(&req_buf, remote_refs, args);
339+
276340
/*
277341
* Clear the status for each ref and see if we need to send
278342
* the pack data.

send-pack.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ struct send_pack_args {
1111
use_thin_pack:1,
1212
use_ofs_delta:1,
1313
dry_run:1,
14+
push_cert:1,
1415
stateless_rpc:1;
1516
};
1617

t/t5534-push-signed.sh

Lines changed: 94 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,94 @@
1+
#!/bin/sh
2+
3+
test_description='signed push'
4+
5+
. ./test-lib.sh
6+
. "$TEST_DIRECTORY"/lib-gpg.sh
7+
8+
prepare_dst () {
9+
rm -fr dst &&
10+
test_create_repo dst &&
11+
12+
git push dst master:noop master:ff master:noff
13+
}
14+
15+
test_expect_success setup '
16+
# master, ff and noff branches pointing at the same commit
17+
test_tick &&
18+
git commit --allow-empty -m initial &&
19+
20+
git checkout -b noop &&
21+
git checkout -b ff &&
22+
git checkout -b noff &&
23+
24+
# noop stays the same, ff advances, noff rewrites
25+
test_tick &&
26+
git commit --allow-empty --amend -m rewritten &&
27+
git checkout ff &&
28+
29+
test_tick &&
30+
git commit --allow-empty -m second
31+
'
32+
33+
test_expect_success 'unsigned push does not send push certificate' '
34+
prepare_dst &&
35+
mkdir -p dst/.git/hooks &&
36+
write_script dst/.git/hooks/post-receive <<-\EOF &&
37+
# discard the update list
38+
cat >/dev/null
39+
# record the push certificate
40+
if test -n "${GIT_PUSH_CERT-}"
41+
then
42+
git cat-file blob $GIT_PUSH_CERT >../push-cert
43+
fi
44+
EOF
45+
46+
git push dst noop ff +noff &&
47+
! test -f dst/push-cert
48+
'
49+
50+
test_expect_success 'talking with a receiver without push certificate support' '
51+
prepare_dst &&
52+
mkdir -p dst/.git/hooks &&
53+
git -C dst config receive.acceptpushcert no &&
54+
write_script dst/.git/hooks/post-receive <<-\EOF &&
55+
# discard the update list
56+
cat >/dev/null
57+
# record the push certificate
58+
if test -n "${GIT_PUSH_CERT-}"
59+
then
60+
git cat-file blob $GIT_PUSH_CERT >../push-cert
61+
fi
62+
EOF
63+
64+
git push dst noop ff +noff &&
65+
! test -f dst/push-cert
66+
'
67+
68+
test_expect_success 'push --signed fails with a receiver without push certificate support' '
69+
prepare_dst &&
70+
mkdir -p dst/.git/hooks &&
71+
git -C dst config receive.acceptpushcert no &&
72+
test_must_fail git push --signed dst noop ff +noff 2>err &&
73+
test_i18ngrep "the receiving end does not support" err
74+
'
75+
76+
test_expect_success GPG 'signed push sends push certificate' '
77+
prepare_dst &&
78+
mkdir -p dst/.git/hooks &&
79+
write_script dst/.git/hooks/post-receive <<-\EOF &&
80+
# discard the update list
81+
cat >/dev/null
82+
# record the push certificate
83+
if test -n "${GIT_PUSH_CERT-}"
84+
then
85+
git cat-file blob $GIT_PUSH_CERT >../push-cert
86+
fi
87+
EOF
88+
89+
git push --signed dst noop ff +noff &&
90+
grep "$(git rev-parse noop ff) refs/heads/ff" dst/push-cert &&
91+
grep "$(git rev-parse noop noff) refs/heads/noff" dst/push-cert
92+
'
93+
94+
test_done

transport.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -480,6 +480,9 @@ static int set_git_option(struct git_transport_options *opts,
480480
die("transport: invalid depth option '%s'", value);
481481
}
482482
return 0;
483+
} else if (!strcmp(name, TRANS_OPT_PUSH_CERT)) {
484+
opts->push_cert = !!value;
485+
return 0;
483486
}
484487
return 1;
485488
}
@@ -823,6 +826,7 @@ static int git_transport_push(struct transport *transport, struct ref *remote_re
823826
args.progress = transport->progress;
824827
args.dry_run = !!(flags & TRANSPORT_PUSH_DRY_RUN);
825828
args.porcelain = !!(flags & TRANSPORT_PUSH_PORCELAIN);
829+
args.push_cert = !!(flags & TRANSPORT_PUSH_CERT);
826830

827831
ret = send_pack(&args, data->fd, data->conn, remote_refs,
828832
&data->extra_have);

0 commit comments

Comments
 (0)