git-commit-vandalism/builtin
Junio C Hamano a85b377d04 push: the beginning of "git push --signed"
While signed tags and commits assert that the objects thusly signed
came from you, who signed these objects, there is not a good way to
assert that you wanted to have a particular object at the tip of a
particular branch.  My signing v2.0.1 tag only means I want to call
the version v2.0.1, and it does not mean I want to push it out to my
'master' branch---it is likely that I only want it in 'maint', so
the signature on the object alone is insufficient.

The only assurance to you that 'maint' points at what I wanted to
place there comes from your trust on the hosting site and my
authentication with it, which cannot easily audited later.

Introduce a mechanism that allows you to sign a "push certificate"
(for the lack of better name) every time you push, asserting that
what object you are pushing to update which ref that used to point
at what other object.  Think of it as a cryptographic protection for
ref updates, similar to signed tags/commits but working on an
orthogonal axis.

The basic flow based on this mechanism goes like this:

 1. You push out your work with "git push --signed".

 2. The sending side learns where the remote refs are as usual,
    together with what protocol extension the receiving end
    supports.  If the receiving end does not advertise the protocol
    extension "push-cert", an attempt to "git push --signed" fails.

    Otherwise, a text file, that looks like the following, is
    prepared in core:

	certificate version 0.1
	pusher Junio C Hamano <gitster@pobox.com> 1315427886 -0700

	7339ca65... 21580ecb... refs/heads/master
	3793ac56... 12850bec... refs/heads/next

    The file begins with a few header lines, which may grow as we
    gain more experience.  The 'pusher' header records the name of
    the signer (the value of user.signingkey configuration variable,
    falling back to GIT_COMMITTER_{NAME|EMAIL}) and the time of the
    certificate generation.  After the header, a blank line follows,
    followed by a copy of the protocol message lines.

    Each line shows the old and the new object name at the tip of
    the ref this push tries to update, in the way identical to how
    the underlying "git push" protocol exchange tells the ref
    updates to the receiving end (by recording the "old" object
    name, the push certificate also protects against replaying).  It
    is expected that new command packet types other than the
    old-new-refname kind will be included in push certificate in the
    same way as would appear in the plain vanilla command packets in
    unsigned pushes.

    The user then is asked to sign this push certificate using GPG,
    formatted in a way similar to how signed tag objects are signed,
    and the result is sent to the other side (i.e. receive-pack).

    In the protocol exchange, this step comes immediately before the
    sender tells what the result of the push should be, which in
    turn comes before it sends the pack data.

 3. When the receiving end sees a push certificate, the certificate
    is written out as a blob.  The pre-receive hook can learn about
    the certificate by checking GIT_PUSH_CERT environment variable,
    which, if present, tells the object name of this blob, and make
    the decision to allow or reject this push.  Additionally, the
    post-receive hook can also look at the certificate, which may be
    a good place to log all the received certificates for later
    audits.

Because a push certificate carry the same information as the usual
command packets in the protocol exchange, we can omit the latter
when a push certificate is in use and reduce the protocol overhead.
This however is not included in this patch to make it easier to
review (in other words, the series at this step should never be
released without the remainder of the series, as it implements an
interim protocol that will be incompatible with the final one).
As such, the documentation update for the protocol is left out of
this step.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-15 13:23:20 -07:00
..
add.c read-cache: new API write_locked_index instead of write_index/write_cache 2014-06-13 11:49:10 -07:00
annotate.c annotate: use argv_array 2014-07-16 11:10:11 -07:00
apply.c Merge branch 'jk/misc-fixes-maint' 2014-07-28 11:30:41 -07:00
archive.c
bisect--helper.c
blame.c Merge branch 'rs/code-cleaning' 2014-07-22 10:59:37 -07:00
branch.c refactor skip_prefix to return a boolean 2014-06-20 10:44:43 -07:00
bundle.c
cat-file.c Merge branch 'jk/warn-on-object-refname-ambiguity' 2014-03-25 11:07:36 -07:00
check-attr.c Merge branch 'jc/check-attr-honor-working-tree' into maint 2014-03-18 14:03:03 -07:00
check-ignore.c
check-mailmap.c
check-ref-format.c
checkout-index.c entry.c: update cache_changed if refresh_cache is set in checkout_entry() 2014-06-13 11:49:39 -07:00
checkout.c Merge branch 'nd/split-index' 2014-07-16 11:25:40 -07:00
clean.c use xcalloc() to allocate zero-initialized memory 2014-07-21 10:30:21 -07:00
clone.c use local cloning if insteadOf makes a local URL 2014-07-17 11:17:13 -07:00
column.c
commit-tree.c commit_tree: take a pointer/len pair rather than a const strbuf 2014-06-12 10:29:41 -07:00
commit.c Merge branch 'ta/string-list-init' 2014-07-23 11:35:54 -07:00
config.c Merge branch 'jk/daemon-tolower' 2014-06-16 10:07:15 -07:00
count-objects.c
credential.c
describe.c hashmap: add simplified hashmap_get_from_hash() API 2014-07-07 13:56:35 -07:00
diff-files.c
diff-index.c
diff-tree.c Merge branch 'jk/alloc-commit-id' 2014-07-22 10:59:25 -07:00
diff.c Merge branch 'tg/diff-no-index-refactor' 2013-12-27 14:58:17 -08:00
fast-export.c Merge branch 'jk/commit-buffer-length' 2014-07-02 12:53:02 -07:00
fetch-pack.c Merge branch 'nd/shallow-clone' 2014-01-17 12:21:20 -08:00
fetch.c Merge branch 'jk/xstrfmt' 2014-07-09 11:34:05 -07:00
fmt-merge-msg.c Merge branch 'jk/xstrfmt' 2014-07-09 11:34:05 -07:00
for-each-ref.c use commit_list_count() to count the members of commit_lists 2014-07-17 13:36:25 -07:00
fsck.c refs.c: add a public is_branch function 2014-07-16 13:06:41 -07:00
gc.c Merge branch 'nd/daemonize-gc' into maint 2014-06-25 11:47:36 -07:00
get-tar-commit-id.c
grep.c Merge branch 'sk/spawn-less-case-insensitively-from-grep-O-i' into maint 2014-06-25 11:47:49 -07:00
hash-object.c
help.c builtin/help.c: speed up is_git_command() by checking for builtin commands first 2014-01-06 11:26:31 -08:00
index-pack.c Merge branch 'maint' 2014-07-21 12:35:39 -07:00
init-db.c i18n: only extract comments marked with "TRANSLATORS:" 2014-04-17 11:09:56 -07:00
log.c Merge branch 'jk/commit-buffer-length' into maint 2014-07-16 11:16:38 -07:00
ls-files.c pathspec: pass directory indicator to match_pathspec_item() 2014-02-24 14:37:19 -08:00
ls-remote.c builtin/ls-remote.c: rearrange xcalloc arguments 2014-05-27 14:00:43 -07:00
ls-tree.c pathspec: rename match_pathspec_depth() to match_pathspec() 2014-02-24 14:37:14 -08:00
mailinfo.c Merge branch 'rs/mailinfo-header-cmp' into maint 2014-06-25 11:48:23 -07:00
mailsplit.c mailsplit: sort maildir filenames more cleverly 2013-03-02 22:52:44 -08:00
merge-base.c Merge branch 'bm/merge-base-octopus-dedup' into maint 2014-02-13 13:38:59 -08:00
merge-file.c
merge-index.c
merge-ours.c
merge-recursive.c
merge-tree.c
merge.c Merge branch 'rs/code-cleaning' 2014-07-16 11:33:09 -07:00
mktag.c
mktree.c builtin/mktree.c: use ALLOC_GROW() in append_to_tree() 2014-03-03 14:54:45 -08:00
mv.c Merge branch 'nd/split-index' 2014-07-16 11:25:40 -07:00
name-rev.c use xstrfmt to replace xmalloc + strcpy/strcat 2014-06-19 15:20:54 -07:00
notes.c Merge branch 'mh/ref-transaction' 2014-06-03 12:06:41 -07:00
pack-objects.c Merge branch 'jk/repack-pack-writebitmaps-config' 2014-06-25 12:23:19 -07:00
pack-redundant.c
pack-refs.c
patch-id.c patch-id: make it stable against hunk reordering 2014-06-10 13:09:24 -07:00
prune-packed.c i18n: mark all progress lines for translation 2014-02-24 09:08:37 -08:00
prune.c Merge branch 'mh/replace-refs-variable-rename' 2014-03-14 14:27:06 -07:00
push.c push: the beginning of "git push --signed" 2014-09-15 13:23:20 -07:00
read-tree.c read-tree: note about dropping split-index mode or index version 2014-06-13 11:49:41 -07:00
receive-pack.c push: the beginning of "git push --signed" 2014-09-15 13:23:20 -07:00
reflog.c refs.c: add new functions reflog_exists and delete_reflog 2014-05-08 14:31:43 -07:00
remote-ext.c
remote-fd.c
remote.c Merge branch 'rs/ref-transaction-0' 2014-07-21 11:18:37 -07:00
repack.c Merge branch 'jk/strip-suffix' 2014-07-16 11:26:00 -07:00
replace.c Merge branch 'cc/replace-graft' 2014-07-27 15:14:18 -07:00
rerere.c rerere: fix for merge.conflictstyle 2014-04-30 10:30:02 -07:00
reset.c Merge branch 'nd/split-index' 2014-07-16 11:25:40 -07:00
rev-list.c commit: record buffer length in cache 2014-06-13 12:09:38 -07:00
rev-parse.c Merge branch 'jk/misc-fixes-maint' 2014-07-28 11:30:41 -07:00
revert.c parse-options: multi-word argh should use dash to separate words 2014-03-24 10:43:34 -07:00
rm.c read-cache: new API write_locked_index instead of write_index/write_cache 2014-06-13 11:49:10 -07:00
send-pack.c Merge branch 'nd/shallow-clone' 2014-01-17 12:21:20 -08:00
shortlog.c
show-branch.c Merge branch 'jk/misc-fixes-maint' 2014-07-28 11:30:41 -07:00
show-ref.c
stripspace.c
symbolic-ref.c
tag.c Merge branch 'jk/tag-sort' 2014-07-23 11:35:45 -07:00
unpack-file.c
unpack-objects.c Merge branch 'mh/replace-refs-variable-rename' 2014-03-14 14:27:06 -07:00
update-index.c Merge branch 'nd/split-index' 2014-07-16 11:25:40 -07:00
update-ref.c refs.c: change ref_transaction_update() to do error checking and return status 2014-07-14 11:54:42 -07:00
update-server-info.c
upload-archive.c
var.c
verify-commit.c verify-commit: scriptable commit signature verification 2014-06-23 15:50:31 -07:00
verify-pack.c verify-pack: use strbuf_strip_suffix 2014-06-30 13:43:32 -07:00
verify-tag.c
write-tree.c