saving "git push --signed" certificate blobs

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

saving "git push --signed" certificate blobs

Sitaram Chamarty
Hello,

Just wanted to say there's a little script at [1] that saves the certificate
blobs generated on the server side by "git push --signed".

Quoting from the source:

# Collects the cert blob on push and saves it, then, if a certain number of
# signed pushes have been seen, processes all the "saved" blobs in one go,
# adding them to the special ref 'refs/push-certs'.  This is done in a way
# that allows searching for all the certs pertaining to one specific branch
# (thanks to Junio Hamano for this idea plus general brainstorming).

Note that although I posted it in the gitolite ML, this has very little to do
with gitolite.  Any git server can use it, with only one very minor change [2]
needed.

sitaram

[1]: https://groups.google.com/forum/#!topic/gitolite/7cSrU6JorEY

[2]: Either set the GL_OPTIONS_GPC_PENDING environment variable by reading its
value from 'git config', or replace the only line that uses that variable, with
some other "test".
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: saving "git push --signed" certificate blobs

Junio C Hamano
Sitaram Chamarty <[hidden email]> writes:

> Just wanted to say there's a little script at [1] that saves the certificate
> blobs generated on the server side by "git push --signed".
>
> Quoting from the source:
>
> # Collects the cert blob on push and saves it, then, if a certain number of
> # signed pushes have been seen, processes all the "saved" blobs in one go,
> # adding them to the special ref 'refs/push-certs'.  This is done in a way
> # that allows searching for all the certs pertaining to one specific branch
> # (thanks to Junio Hamano for this idea plus general brainstorming).
>
> Note that although I posted it in the gitolite ML, this has very little to do
> with gitolite.  Any git server can use it, with only one very minor change [2]
> needed.
>
> sitaram
>
> [1]: https://groups.google.com/forum/#!topic/gitolite/7cSrU6JorEY
>
> [2]: Either set the GL_OPTIONS_GPC_PENDING environment variable by reading its
> value from 'git config', or replace the only line that uses that variable, with
> some other "test".

Nicely done.

We'd need to give you a tool to make it easy to create a "validated
chain of certificates" out of

    $ git log refs/push-certs -- refs/heads/master

to make the history this script creates truly useful, but I think it
is a very good start.

I can see that you tried to make the log output "human readable" by
reformatting $cf, I am not sure if it gives us much value.  I would
have expected that you would just use the blob contents for the log
message as-is, so that

    $ git log --pretty=raw refs/push-certs -- refs/heads/master |
      validate-cert-chain

can just work on blobs (shown in the "log" output) without having to
extract the blobs by doing something like

    $ git rev-list refs/push-certs -- refs/heads/master |
      while read commit
      do
                git cat-file blob $commit:refs/heads/master |
                validate-cert
      done

By the way, you seem to like "cat" too much, though.  You don't have
to cat a single file into a pipeline.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: saving "git push --signed" certificate blobs

Sitaram Chamarty
On 12/30/2014 11:18 PM, Junio C Hamano wrote:

> Sitaram Chamarty <[hidden email]> writes:
>
>> Just wanted to say there's a little script at [1] that saves the certificate
>> blobs generated on the server side by "git push --signed".
>>
>> Quoting from the source:
>>
>> # Collects the cert blob on push and saves it, then, if a certain number of
>> # signed pushes have been seen, processes all the "saved" blobs in one go,
>> # adding them to the special ref 'refs/push-certs'.  This is done in a way
>> # that allows searching for all the certs pertaining to one specific branch
>> # (thanks to Junio Hamano for this idea plus general brainstorming).
>>
>> Note that although I posted it in the gitolite ML, this has very little to do
>> with gitolite.  Any git server can use it, with only one very minor change [2]
>> needed.
>>
>> sitaram
>>
>> [1]: https://groups.google.com/forum/#!topic/gitolite/7cSrU6JorEY
>>
>> [2]: Either set the GL_OPTIONS_GPC_PENDING environment variable by reading its
>> value from 'git config', or replace the only line that uses that variable, with
>> some other "test".
>
> Nicely done.
>
> We'd need to give you a tool to make it easy to create a "validated
> chain of certificates" out of
>
>     $ git log refs/push-certs -- refs/heads/master
>
> to make the history this script creates truly useful, but I think it
> is a very good start.
>
> I can see that you tried to make the log output "human readable" by
> reformatting $cf, I am not sure if it gives us much value.  I would
> have expected that you would just use the blob contents for the log
> message as-is, so that
>
>     $ git log --pretty=raw refs/push-certs -- refs/heads/master |
>       validate-cert-chain
>
> can just work on blobs (shown in the "log" output) without having to
> extract the blobs by doing something like
>
>     $ git rev-list refs/push-certs -- refs/heads/master |
>       while read commit
>       do
> git cat-file blob $commit:refs/heads/master |
>                 validate-cert
>       done
I see what you mean.  And it looks like using "--format=%B also works
pretty well.  Will fix.

> By the way, you seem to like "cat" too much, though.  You don't have
> to cat a single file into a pipeline.

Gee I hope Randal Schwartz is not on this list :)

Anyway the previous fix also removes most of them.

I'm attaching the current version so non-gitolite users can find it
without having to go to the gitolite repo.  For gitolite users, it's
somewhere in "contrib/" in the source tree.

sitaram

> Thanks.
>


save-push-signatures (6K) Download Attachment