undef/git-commit-vandalism
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
a85b377d04
git-commit-vandalism/Documentation
History
Junio C Hamano a85b377d04 push: the beginning of "git push --signed" 
While signed tags and commits assert that the objects thusly signed
came from you, who signed these objects, there is not a good way to
assert that you wanted to have a particular object at the tip of a
particular branch.  My signing v2.0.1 tag only means I want to call
the version v2.0.1, and it does not mean I want to push it out to my
'master' branch---it is likely that I only want it in 'maint', so
the signature on the object alone is insufficient.

The only assurance to you that 'maint' points at what I wanted to
place there comes from your trust on the hosting site and my
authentication with it, which cannot easily audited later.

Introduce a mechanism that allows you to sign a "push certificate"
(for the lack of better name) every time you push, asserting that
what object you are pushing to update which ref that used to point
at what other object.  Think of it as a cryptographic protection for
ref updates, similar to signed tags/commits but working on an
orthogonal axis.

The basic flow based on this mechanism goes like this:

 1. You push out your work with "git push --signed".

 2. The sending side learns where the remote refs are as usual,
    together with what protocol extension the receiving end
    supports.  If the receiving end does not advertise the protocol
    extension "push-cert", an attempt to "git push --signed" fails.

    Otherwise, a text file, that looks like the following, is
    prepared in core:

	certificate version 0.1
	pusher Junio C Hamano <gitster@pobox.com> 1315427886 -0700

	7339ca65... 21580ecb... refs/heads/master
	3793ac56... 12850bec... refs/heads/next

    The file begins with a few header lines, which may grow as we
    gain more experience.  The 'pusher' header records the name of
    the signer (the value of user.signingkey configuration variable,
    falling back to GIT_COMMITTER_{NAME|EMAIL}) and the time of the
    certificate generation.  After the header, a blank line follows,
    followed by a copy of the protocol message lines.

    Each line shows the old and the new object name at the tip of
    the ref this push tries to update, in the way identical to how
    the underlying "git push" protocol exchange tells the ref
    updates to the receiving end (by recording the "old" object
    name, the push certificate also protects against replaying).  It
    is expected that new command packet types other than the
    old-new-refname kind will be included in push certificate in the
    same way as would appear in the plain vanilla command packets in
    unsigned pushes.

    The user then is asked to sign this push certificate using GPG,
    formatted in a way similar to how signed tag objects are signed,
    and the result is sent to the other side (i.e. receive-pack).

    In the protocol exchange, this step comes immediately before the
    sender tells what the result of the push should be, which in
    turn comes before it sends the pack data.

 3. When the receiving end sees a push certificate, the certificate
    is written out as a blob.  The pre-receive hook can learn about
    the certificate by checking GIT_PUSH_CERT environment variable,
    which, if present, tells the object name of this blob, and make
    the decision to allow or reject this push.  Additionally, the
    post-receive hook can also look at the certificate, which may be
    a good place to log all the received certificates for later
    audits.

Because a push certificate carry the same information as the usual
command packets in the protocol exchange, we can omit the latter
when a push certificate is in use and reduce the protocol overhead.
This however is not included in this patch to make it easier to
review (in other words, the series at this step should never be
released without the remainder of the series, as it implements an
interim protocol that will be incompatible with the final one).
As such, the documentation update for the protocol is left out of
this step.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-15 13:23:20 -07:00
..
howto Merge branch 'ss/howto-manage-trunk' 2014-06-06 11:39:12 -07:00
RelNotes Sync with 2.0.4 2014-07-30 14:25:46 -07:00
technical pack-protocol doc: typofix for PKT-LINE 2014-09-15 13:23:20 -07:00
.gitattributes
.gitignore doc: generate a list of valid merge tools 2013-02-02 21:46:52 -08:00
asciidoc.conf Documentation: avoid poor-man's small caps GIT 2013-02-01 13:53:25 -08:00
blame-options.txt blame: document multiple -L support 2013-08-06 14:34:43 -07:00
build-docdep.perl
cat-texi.perl Documentation: Strip texinfo anchors to avoid duplicates 2013-04-03 16:14:19 -07:00
cmd-list.perl
CodingGuidelines Merge branch 'po/error-message-style' 2014-07-16 11:33:03 -07:00
config.txt push: the beginning of "git push --signed" 2014-09-15 13:23:20 -07:00
date-formats.txt Correct word usage of "timezone" in "Documentation" directory 2013-11-12 10:47:17 -08:00
diff-config.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
diff-format.txt
diff-generate-patch.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
diff-options.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
docbook-xsl.css
docbook.xsl
everyday.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
fetch-options.txt fetch: allow explicit --refmap to override configuration 2014-06-05 15:13:12 -07:00
fix-texi.perl
git-add.txt Merge branch 'jl/nor-or-nand-and' 2014-04-08 12:00:28 -07:00
git-am.txt Merge branch 'cp/am-patch-format-doc' 2014-03-25 11:01:31 -07:00
git-annotate.txt
git-apply.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-archimport.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-archive.txt docs: clarify remote restrictions for git-upload-archive 2014-02-28 09:55:35 -08:00
git-bisect-lk2009.txt typofix: documentation 2013-07-22 16:06:48 -07:00
git-bisect.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
git-blame.txt docs/git-blame: explain more clearly the example pickaxe use 2014-02-11 11:03:07 -08:00
git-branch.txt Refer to branch.<name>.remote/merge when documenting --track 2013-09-09 11:03:01 -07:00
git-bundle.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-cat-file.txt cat-file: provide %(deltabase) batch format 2013-12-26 11:54:26 -08:00
git-check-attr.txt Merge branch 'jc/check-x-z' 2013-09-04 12:23:25 -07:00
git-check-ignore.txt check-ignore: Add option to ignore index contents 2013-09-12 15:40:29 -07:00
git-check-mailmap.txt builtin: add git-check-mailmap command 2013-07-13 10:19:37 -07:00
git-check-ref-format.txt Add new @ shortcut for HEAD 2013-09-12 14:39:34 -07:00
git-checkout-index.txt
git-checkout.txt Documentation: @{-N} can refer to a commit 2014-01-21 13:50:00 -08:00
git-cherry-pick.txt parse-options: multi-word argh should use dash to separate words 2014-03-24 10:43:34 -07:00
git-cherry.txt Documentation: revamp git-cherry(1) 2013-11-27 12:16:49 -08:00
git-citool.txt
git-clean.txt Documentation/git-clean: fix description for range 2013-07-24 19:16:13 -07:00
git-clone.txt docs/git-clone: clarify use of --no-hardlinks option 2014-02-11 11:03:07 -08:00
git-column.txt doc: remote author/documentation sections from more pages 2014-01-27 08:34:34 -08:00
git-commit-tree.txt commit-tree: add and document --no-gpg-sign 2014-02-24 14:51:35 -08:00
git-commit.txt Merge branch 'jc/rev-parse-argh-dashed-multi-words' 2014-04-08 11:59:27 -07:00
git-config.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
git-count-objects.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
git-credential-cache--daemon.txt
git-credential-cache.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-credential-store.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-credential.txt Documentation: make AsciiDoc links always point to HTML files 2013-09-06 14:49:06 -07:00
git-cvsexportcommit.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-cvsimport.txt Documentation: fix documentation AsciiDoc links for external urls 2014-02-20 14:14:58 -08:00
git-cvsserver.txt Merge branch 'ta/doc-no-small-caps' 2013-02-05 16:13:32 -08:00
git-daemon.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
git-describe.txt use 'commit-ish' instead of 'committish' 2013-09-04 15:03:03 -07:00
git-diff-files.txt
git-diff-index.txt Documentation/diff-index: mention two modes of operation 2013-05-20 15:50:44 -07:00
git-diff-tree.txt
git-diff.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
git-difftool.txt documentation: trivial style cleanups 2013-05-17 12:09:21 -07:00
git-fast-export.txt fast-export: add new --refspec option 2014-04-21 11:47:33 -07:00
git-fast-import.txt Merge branch 'fc/remote-helper-refmap' 2014-06-16 12:18:15 -07:00
git-fetch-pack.txt Merge branch 'tb/doc-fetch-pack-url' into maint 2013-12-17 11:34:24 -08:00
git-fetch.txt docs: Explain the purpose of fetch's and pull's <refspec> parameter. 2014-06-12 09:59:13 -07:00
git-filter-branch.txt Documentation: fix documentation AsciiDoc links for external urls 2014-02-20 14:14:58 -08:00
git-fmt-merge-msg.txt documentation: trivial style cleanups 2013-05-17 12:09:21 -07:00
git-for-each-ref.txt doc: remote author/documentation sections from more pages 2014-01-27 08:34:34 -08:00
git-format-patch.txt format-patch: add "--signature-file=<file>" option 2014-05-27 12:38:32 -07:00
git-fsck-objects.txt
git-fsck.txt documentation: trivial style cleanups 2013-05-17 12:09:21 -07:00
git-gc.txt gc --aggressive: make --depth configurable 2014-03-31 10:26:24 -07:00
git-get-tar-commit-id.txt
git-grep.txt grep: add grep.fullName config variable 2014-03-20 12:38:00 -07:00
git-gui.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-hash-object.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-help.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
git-http-backend.txt Merge commit 'doc/http-backend: missing accent grave in literal mark-up' 2014-04-09 11:45:04 -07:00
git-http-fetch.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-http-push.txt
git-imap-send.txt
git-index-pack.txt clone: open a shortcut for connectivity check 2013-05-28 08:07:20 -07:00
git-init-db.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-init.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-instaweb.txt
git-log.txt Merge branch 'jj/log-doc' into maint 2013-12-17 11:35:41 -08:00
git-ls-files.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
git-ls-remote.txt ls-remote doc: don't encourage use of branches-file 2013-06-23 00:33:58 -07:00
git-ls-tree.txt
git-mailinfo.txt documentation: trivial style cleanups 2013-05-17 12:09:21 -07:00
git-mailsplit.txt
git-merge-base.txt merge-base: teach "--fork-point" mode 2013-10-29 13:06:08 -07:00
git-merge-file.txt Documentation/git-merge-file: document option "--diff3" 2013-08-09 14:19:59 -07:00
git-merge-index.txt The name of the hash function is "SHA-1", not "SHA1" 2013-04-15 11:08:37 -07:00
git-merge-one-file.txt
git-merge-tree.txt use 'tree-ish' instead of 'treeish' 2013-09-04 15:02:56 -07:00
git-merge.txt merge: enable defaulttoupstream by default 2014-04-22 12:53:59 -07:00
git-mergetool--lib.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-mergetool.txt mergetool: document the default for --[no-]prompt 2014-04-24 11:29:05 -07:00
git-mktag.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-mktree.txt
git-mv.txt mv: better document side effects when moving a submodule 2014-01-07 14:33:04 -08:00
git-name-rev.txt use 'commit-ish' instead of 'committish' 2013-09-04 15:03:03 -07:00
git-notes.txt parse-options: multi-word argh should use dash to separate words 2014-03-24 10:43:34 -07:00
git-p4.txt git p4 doc: use two-line style for options with multiple spellings 2014-01-22 08:06:20 -08:00
git-pack-objects.txt upload-pack: send shallow info over stdin to pack-objects 2014-03-11 13:32:10 -07:00
git-pack-redundant.txt
git-pack-refs.txt Documentation: remove --prune from pack-refs examples 2013-07-18 16:23:46 -07:00
git-parse-remote.txt
git-patch-id.txt patch-id: make it stable against hunk reordering 2014-06-10 13:09:24 -07:00
git-prune-packed.txt git-prune-packed.txt: fix reference to GIT_OBJECT_DIRECTORY 2013-10-15 16:01:22 -07:00
git-prune.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
git-pull.txt Merge branch 'jc/maint-pull-docfix' into maint 2014-02-05 14:03:47 -08:00
git-push.txt push: the beginning of "git push --signed" 2014-09-15 13:23:20 -07:00
git-quiltimport.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-read-tree.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
git-rebase.txt rebase: add the --gpg-sign option 2014-02-11 14:48:20 -08:00
git-receive-pack.txt push: the beginning of "git push --signed" 2014-09-15 13:23:20 -07:00
git-reflog.txt Merge branch 'jc/prune-all' 2013-05-29 14:23:04 -07:00
git-relink.txt
git-remote-ext.txt doc: remote author/documentation sections from more pages 2014-01-27 08:34:34 -08:00
git-remote-fd.txt doc: remote author/documentation sections from more pages 2014-01-27 08:34:34 -08:00
git-remote-helpers.txto Rename {git- => git}remote-helpers.txt 2013-02-01 14:12:34 -08:00
git-remote-testgit.txt Merge branch 'jk/remote-helpers-doc' 2013-02-07 14:41:45 -08:00
git-remote.txt docs/git-remote: capitalize first word of initial blurb 2014-02-11 11:03:07 -08:00
git-repack.txt Merge branch 'jk/repack-pack-keep-objects' 2014-03-18 13:50:29 -07:00
git-replace.txt Merge branch 'cc/replace-graft' 2014-07-27 15:14:18 -07:00
git-request-pull.txt request-pull: documentation updates 2014-03-13 14:22:20 -07:00
git-rerere.txt
git-reset.txt Merge branch 'jl/nor-or-nand-and' 2014-04-08 12:00:28 -07:00
git-rev-list.txt rev-list: add bitmap mode to speed up object lists 2013-12-30 12:19:22 -08:00
git-rev-parse.txt Sync with maint 2014-07-22 11:00:23 -07:00
git-revert.txt parse-options: multi-word argh should use dash to separate words 2014-03-24 10:43:34 -07:00
git-rm.txt rm: better document side effects when removing a submodule 2014-01-07 14:34:06 -08:00
git-send-email.txt Merge branch 'mt/send-email-cover-to-cc' 2014-06-20 13:12:20 -07:00
git-send-pack.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-sh-i18n--envsubst.txt
git-sh-i18n.txt
git-sh-setup.txt Merge branch 'jc/reflog-doc' 2013-10-18 13:50:12 -07:00
git-shell.txt shell doc: remove stray "+" in example 2014-05-08 10:26:26 -07:00
git-shortlog.txt git-shortlog.txt: make SYNOPSIS match log, update OPTIONS 2013-04-21 23:11:02 -07:00
git-show-branch.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
git-show-index.txt The name of the hash function is "SHA-1", not "SHA1" 2013-04-15 11:08:37 -07:00
git-show-ref.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
git-show.txt Documentation/git-show.txt: include common diff options, like git-log.txt 2013-07-17 17:50:56 -07:00
git-stage.txt
git-stash.txt stash doc: mention short form -k in save description 2014-02-24 09:13:30 -08:00
git-status.txt Merge branch 'dw/doc-status-no-longer-shows-pound-prefix' 2014-03-31 16:30:52 -07:00
git-stripspace.txt Merge branch 'ta/doc-no-small-caps' 2013-02-05 16:13:32 -08:00
git-submodule.txt Merge branch 'mc/doc-submodule-sync-recurse' into maint 2014-07-10 11:08:31 -07:00
git-svn.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
git-symbolic-ref.txt
git-tag.txt tag: support configuring --sort via .gitconfig 2014-07-17 09:22:20 -07:00
git-tools.txt doc: various spelling fixes 2013-04-12 12:00:52 -07:00
git-unpack-file.txt
git-unpack-objects.txt Merge branch 'vd/doc-unpack-objects' into maint 2013-11-07 14:37:36 -08:00
git-update-index.txt update-index: new options to enable/disable split index mode 2014-06-13 11:49:41 -07:00
git-update-ref.txt update-ref --stdin -z: deprecate interpreting the empty string as zeros 2014-04-07 12:09:13 -07:00
git-update-server-info.txt
git-upload-archive.txt add uploadarchive.allowUnreachable option 2014-02-28 09:55:37 -08:00
git-upload-pack.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-var.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
git-verify-commit.txt verify-commit: scriptable commit signature verification 2014-06-23 15:50:31 -07:00
git-verify-pack.txt The name of the hash function is "SHA-1", not "SHA1" 2013-04-15 11:08:37 -07:00
git-verify-tag.txt The name of the hash function is "SHA-1", not "SHA1" 2013-04-15 11:08:37 -07:00
git-web--browse.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
git-whatchanged.txt whatchanged: document its historical nature 2013-08-13 09:01:54 -07:00
git-write-tree.txt
git.txt Sync with 2.0.4 2014-07-30 14:25:46 -07:00
gitattributes.txt gitattributes: document more clearly where macros are allowed 2014-01-14 13:56:56 -08:00
gitcli.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
gitcore-tutorial.txt Documentation: fix documentation AsciiDoc links for external urls 2014-02-20 14:14:58 -08:00
gitcredentials.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
gitcvs-migration.txt Documentation: fix documentation AsciiDoc links for external urls 2014-02-20 14:14:58 -08:00
gitdiffcore.txt diffcore-pickaxe doc: document -S and -G properly 2013-06-03 10:53:11 -07:00
gitglossary.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
githooks.txt Documentation: fix typos in man pages 2014-02-05 14:35:45 -08:00
gitignore.txt Merge branch 'nd/gitignore-trailing-whitespace' 2014-03-14 14:23:37 -07:00
gitk.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
gitmodules.txt status/commit: show staged submodules regardless of ignore config 2014-04-07 10:32:20 -07:00
gitnamespaces.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
gitremote-helpers.txt Merge branch 'fc/transport-helper-fixes' 2014-03-18 13:49:33 -07:00
gitrepository-layout.txt read-cache: split-index mode 2014-06-13 11:49:39 -07:00
gitrevisions.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
gittutorial-2.txt The name of the hash function is "SHA-1", not "SHA1" 2013-04-15 11:08:37 -07:00
gittutorial.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
gitweb.conf.txt Documentation: use "command-line" when used as a compound adjective, and fix other minor grammatical issues 2014-05-21 13:57:10 -07:00
gitweb.txt Documentation: fix documentation AsciiDoc links for external urls 2014-02-20 14:14:58 -08:00
gitworkflows.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
glossary-content.txt Documentation: wording fixes in the user manual and glossary 2014-05-28 10:40:06 -07:00
howto-index.sh howto-index.sh: use the $( ... ) construct for command substitution 2014-04-17 11:14:57 -07:00
i18n.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
install-doc-quick.sh
install-webdoc.sh install-webdoc.sh: use the $( ... ) construct for command substitution 2014-04-17 11:14:58 -07:00
line-range-format.txt line-range: teach -L^:RE to search from start of file 2013-08-06 14:48:02 -07:00
mailmap.txt
Makefile How to keep a project's canonical history correct. 2014-05-28 13:35:43 -07:00
manpage-1.72.xsl
manpage-base-url.xsl.in
manpage-base.xsl
manpage-bold-literal.xsl
manpage-normal.xsl
manpage-quote-apos.xsl
manpage-suppress-sp.xsl
merge-config.txt Merge branch 'da/mergetool-docs' 2013-02-07 14:42:16 -08:00
merge-options.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
merge-strategies.txt Merge branch 'rr/doc-merge-strategies' into maint 2014-04-03 13:39:03 -07:00
pretty-formats.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
pretty-options.txt Documentation: fix misuses of "nor" 2014-03-31 15:16:22 -07:00
pull-fetch-param.txt docs: Explain the purpose of fetch's and pull's <refspec> parameter. 2014-06-12 09:59:13 -07:00
rev-list-options.txt Merge branch 'jl/nor-or-nand-and' 2014-04-08 12:00:28 -07:00
revisions.txt Documentation: mention config sources for @{upstream} 2014-05-13 12:35:00 -07:00
sequencer.txt
SubmittingPatches Merge branch 'rs/doc-submitting-patches' into maint 2013-12-17 11:38:23 -08:00
urls-remotes.txt Documentation: the name of the system is 'Git', not 'git' 2013-02-01 13:53:33 -08:00
urls.txt Merge branch 'ft/doc-git-transport' into maint 2013-07-21 22:51:24 -07:00
user-manual.conf
user-manual.txt Merge branch 'jm/doc-wording-tweaks' 2014-06-16 12:18:39 -07:00