Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Oct 8, 2014
  1. @gitster

    Merge branch 'jc/push-cert'

    gitster authored
    Allow "git push" request to be signed, so that it can be verified and
    audited, using the GPG signature of the person who pushed, that the
    tips of branches at a public repository really point the commits
    the pusher wanted to, without having to "trust" the server.
    
    * jc/push-cert: (24 commits)
      receive-pack::hmac_sha1(): copy the entire SHA-1 hash out
      signed push: allow stale nonce in stateless mode
      signed push: teach smart-HTTP to pass "git push --signed" around
      signed push: fortify against replay attacks
      signed push: add "pushee" header to push certificate
      signed push: remove duplicated protocol info
      send-pack: send feature request on push-cert packet
      receive-pack: GPG-validate push certificates
      push: the beginning of "git push --signed"
      pack-protocol doc: typofix for PKT-LINE
      gpg-interface: move parse_signature() to where it should be
      gpg-interface: move parse_gpg_output() to where it should be
      send-pack: clarify that cmds_sent is a boolean
      send-pack: refactor inspecting and resetting status and sending commands
      send-pack: rename "new_refs" to "need_pack_data"
      receive-pack: factor out capability string generation
      send-pack: factor out capability string generation
      send-pack: always send capabilities
      send-pack: refactor decision to send update per ref
      send-pack: move REF_STATUS_REJECT_NODELETE logic a bit higher
      ...
Commits on Sep 15, 2014
  1. @gitster

    gpg-interface: move parse_signature() to where it should be

    gitster authored
    Our signed-tag objects set the standard format used by Git to store
    GPG-signed payload (i.e. the payload followed by its detached
    signature) [*1*], and it made sense to have a helper to find the
    boundary between the payload and its signature in tag.c back then.
    
    Newer code added later to parse other kinds of objects that learned
    to use the same format to store GPG-signed payload (e.g. signed
    commits), however, kept using the helper from the same location.
    
    Move it to gpg-interface; the helper is no longer about signed tag,
    but it is how our code and data interact with GPG.
    
    [Reference]
    *1* http://thread.gmane.org/gmane.linux.kernel/297998/focus=1383
    
    Signed-off-by: Junio C Hamano <gitster@pobox.com>
  2. @gitster

    gpg-interface: move parse_gpg_output() to where it should be

    gitster authored
    Earlier, ffb6d7d (Move commit GPG signature verification to
    commit.c, 2013-03-31) moved this helper that used to be in pretty.c
    (i.e. the output code path) to commit.c for better reusability.
    
    It was a good first step in the right direction, but still suffers
    from a myopic view that commits will be the only thing we would ever
    want to sign---we would actually want to be able to reuse it even
    wider.
    
    The function interprets what GPG said; gpg-interface is obviously a
    better place.  Move it there.
    
    Signed-off-by: Junio C Hamano <gitster@pobox.com>
Commits on Aug 20, 2014
  1. @gitster

    run-command: introduce CHILD_PROCESS_INIT

    René Scharfe authored gitster committed
    Most struct child_process variables are cleared using memset first after
    declaration.  Provide a macro, CHILD_PROCESS_INIT, that can be used to
    initialize them statically instead.  That's shorter, doesn't require a
    function call and is slightly more readable (especially given that we
    already have STRBUF_INIT, ARGV_ARRAY_INIT etc.).
    
    Helped-by: Johannes Sixt <j6t@kdbg.org>
    Signed-off-by: Rene Scharfe <l.s.r@web.de>
    Signed-off-by: Junio C Hamano <gitster@pobox.com>
Commits on Jun 23, 2014
  1. @mjg @gitster

    gpg-interface: provide access to the payload

    mjg authored gitster committed
    In contrast to tag signatures, commit signatures are put into the
    header, that is between the other header parts and commit messages.
    
    Provide access to the commit content sans the signature, which is the
    payload that is actually signed. Commit signature verification does the
    parsing anyways, and callers may wish to act on or display the commit
    object sans the signature.
    
    Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net>
    Signed-off-by: Junio C Hamano <gitster@pobox.com>
  2. @mjg @gitster

    gpg-interface: provide clear helper for struct signature_check

    mjg authored gitster committed
    The struct has been growing members whose malloced memory needs to be
    freed. Do this with one helper function so that no malloced memory shall
    be left unfreed.
    
    Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net>
    Signed-off-by: Junio C Hamano <gitster@pobox.com>
Commits on Mar 21, 2013
  1. @gitster

    Merge branch 'mg/gpg-interface-using-status'

    gitster authored
    Call "gpg" using the right API when validating the signature on
    tags.
    
    * mg/gpg-interface-using-status:
      pretty: make %GK output the signing key for signed commits
      pretty: parse the gpg status lines rather than the output
      gpg_interface: allow to request status return
      log-tree: rely upon the check in the gpg_interface
      gpg-interface: check good signature in a reliable way
Commits on Feb 14, 2013
  1. @mjg @gitster

    gpg_interface: allow to request status return

    mjg authored gitster committed
    Currently, verify_signed_buffer() returns the user facing output only.
    
    Allow callers to request the status output also.
    
    Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net>
    Signed-off-by: Junio C Hamano <gitster@pobox.com>
  2. @mjg @gitster

    gpg-interface: check good signature in a reliable way

    mjg authored gitster committed
    Currently, verify_signed_buffer() only checks the return code of gpg,
    and some callers implement additional unreliable checks for "Good
    signature" in the gpg output meant for the user.
    
    Use the status output instead and parse for a line beinning with
    "[GNUPG:] GOODSIG ". This is the only reliable way of checking for a
    good gpg signature.
    
    If needed we can change this easily to "[GNUPG:] VALIDSIG " if we want
    to take into account the trust model.
    
    Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net>
    Signed-off-by: Junio C Hamano <gitster@pobox.com>
Commits on Feb 7, 2013
  1. @gitster

    Merge branch 'sb/gpg-plug-fd-leak' into maint

    gitster authored
    We forgot to close the file descriptor reading from "gpg" output,
    killing "git log --show-signature" on a long history.
    
    * sb/gpg-plug-fd-leak:
      gpg: close stderr once finished with it in verify_signed_buffer()
  2. @gitster

    Merge branch 'sb/gpg-i18n'

    gitster authored
    * sb/gpg-i18n:
      gpg: allow translation of more error messages
Commits on Feb 6, 2013
  1. @gitster

    Merge branch 'sb/gpg-plug-fd-leak'

    gitster authored
    We forgot to close the file descriptor reading from "gpg" output,
    killing "git log --show-signature" on a long history.
    
    * sb/gpg-plug-fd-leak:
      gpg: close stderr once finished with it in verify_signed_buffer()
Commits on Jan 31, 2013
  1. @bebarino @gitster

    gpg: close stderr once finished with it in verify_signed_buffer()

    bebarino authored gitster committed
    Failing to close the stderr pipe in verify_signed_buffer() causes
    git to run out of file descriptors if there are many calls to
    verify_signed_buffer(). An easy way to trigger this is to run
    
     git log --show-signature --merges | grep "key"
    
    on the linux kernel git repo. Eventually it will fail with
    
     error: cannot create pipe for gpg: Too many open files
     error: could not run gpg.
    
    Close the stderr pipe so that this can't happen.
    
    Suggested-by: Jeff King <peff@peff.net>
    Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
    Signed-off-by: Junio C Hamano <gitster@pobox.com>
  2. @bebarino @gitster

    gpg: allow translation of more error messages

    bebarino authored gitster committed
    Mark these strings for translation so that error messages are
    printed in the user's language of choice.
    
    Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
    Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
    Signed-off-by: Junio C Hamano <gitster@pobox.com>
Commits on May 25, 2012
  1. @peff @gitster

    ident: rename IDENT_ERROR_ON_NO_NAME to IDENT_STRICT

    peff authored gitster committed
    Callers who ask for ERROR_ON_NO_NAME are not so much
    concerned that the name will be blank (because, after all,
    we will fall back to using the username), but rather it is a
    check to make sure that low-quality identities do not end up
    in things like commit messages or emails (whereas it is OK
    for them to end up in things like reflogs).
    
    When future commits add more quality checks on the identity,
    each of these callers would want to use those checks, too.
    Rather than modify each of them later to add a new flag,
    let's refactor the flag.
    
    Signed-off-by: Jeff King <peff@peff.net>
    Signed-off-by: Junio C Hamano <gitster@pobox.com>
Commits on Jan 5, 2012
  1. @gitster

    verify_signed_buffer: fix stale comment

    gitster authored
    The function used to take an integer flag to specify where the output
    should go, but these days we supply a strbuf to receive it.
    
    Signed-off-by: Junio C Hamano <gitster@pobox.com>
Commits on Nov 29, 2011
  1. @gitster

    gpg-interface: allow use of a custom GPG binary

    gitster authored
    Signed-off-by: Junio C Hamano <gitster@pobox.com>
Commits on Nov 5, 2011
  1. @gitster

    Split GPG interface into its own helper library

    gitster authored
    This mostly moves existing code from builtin/tag.c (for signing)
    and builtin/verify-tag.c (for verifying) to a new gpg-interface.c
    file to provide a more generic library interface.
    
     - sign_buffer() takes a payload strbuf, a signature strbuf, and a signing
       key, runs "gpg" to produce a detached signature for the payload, and
       appends it to the signature strbuf. The contents of a signed tag that
       concatenates the payload and the detached signature can be produced by
       giving the same strbuf as payload and signature strbuf.
    
     - verify_signed_buffer() takes a payload and a detached signature as
       <ptr, len> pairs, and runs "gpg --verify" to see if the payload matches
       the signature. It can optionally capture the output from GPG to allow
       the callers to pretty-print it in a way more suitable for their
       contexts.
    
    "verify-tag" (aka "tag -v") used to save the whole tag contents as if it
    is a detached signature, and fed gpg the payload part of the tag. It
    relied on gpg to fail when the given tag is not signed but just is
    annotated.  The updated run_gpg_verify() function detects the lack of
    detached signature in the input, and errors out without bothering "gpg".
    
    Signed-off-by: Junio C Hamano <gitster@pobox.com>
Something went wrong with that request. Please try again.