1. 17 Sep, 2014 2 commits
    • Junio C Hamano's avatar
      signed push: allow stale nonce in stateless mode · 5732373d
      Junio C Hamano authored
      When operating with the stateless RPC mode, we will receive a nonce
      issued by another instance of us that advertised our capability and
      refs some time ago.  Update the logic to check received nonce to
      detect this case, compute how much time has passed since the nonce
      was issued and report the status with a new environment variable
      GIT_PUSH_CERT_NONCE_SLOP to the hooks.
      
      GIT_PUSH_CERT_NONCE_STATUS will report "SLOP" in such a case.  The
      hooks are free to decide how large a slop it is willing to accept.
      
      Strictly speaking, the "nonce" is not really a "nonce" anymore in
      the stateless RPC mode, as it will happily take any "nonce" issued
      by it (which is protected by HMAC and its secret key) as long as it
      is fresh enough.  The degree of this security degradation, relative
      to the native protocol, is about the same as the "we make sure that
      the 'git push' decided to update our refs with new objects based on
      the freshest observation of our refs by making sure the values they
      claim the original value of the refs they ask us to update exactly
      match the current state" security is loosened to accomodate the
      stateless RPC mode in the existing code without this series, so
      there is no need for those who are already using smart HTTP to push
      to their repositories to be alarmed any more than they already are.
      
      In addition, the server operator can set receive.certnonceslop
      configuration variable to specify how stale a nonce can be (in
      seconds).  When this variable is set, and if the nonce received in
      the certificate that passes the HMAC check was less than that many
      seconds old, hooks are given "OK" in GIT_PUSH_CERT_NONCE_STATUS
      (instead of "SLOP") and the received nonce value is given in
      GIT_PUSH_CERT_NONCE, which makes it easier for a simple-minded
      hook to check if the certificate we received is recent enough.
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      5732373d
    • Junio C Hamano's avatar
      signed push: fortify against replay attacks · b89363e4
      Junio C Hamano authored
      In order to prevent a valid push certificate for pushing into an
      repository from getting replayed in a different push operation, send
      a nonce string from the receive-pack process and have the signer
      include it in the push certificate.  The receiving end uses an HMAC
      hash of the path to the repository it serves and the current time
      stamp, hashed with a secret seed (the secret seed does not have to
      be per-repository but can be defined in /etc/gitconfig) to generate
      the nonce, in order to ensure that a random third party cannot forge
      a nonce that looks like it originated from it.
      
      The original nonce is exported as GIT_PUSH_CERT_NONCE for the hooks
      to examine and match against the value on the "nonce" header in the
      certificate to notice a replay, but returned "nonce" header in the
      push certificate is examined by receive-pack and the result is
      exported as GIT_PUSH_CERT_NONCE_STATUS, whose value would be "OK"
      if the nonce recorded in the certificate matches what we expect, so
      that the hooks can more easily check.
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      b89363e4
  2. 15 Sep, 2014 2 commits
    • Junio C Hamano's avatar
      receive-pack: GPG-validate push certificates · d05b9618
      Junio C Hamano authored
      Reusing the GPG signature check helpers we already have, verify
      the signature in receive-pack and give the results to the hooks
      via GIT_PUSH_CERT_{SIGNER,KEY,STATUS} environment variables.
      
      Policy decisions, such as accepting or rejecting a good signature by
      a key that is not fully trusted, is left to the hook and kept
      outside of the core.
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      d05b9618
    • Junio C Hamano's avatar
      push: the beginning of "git push --signed" · a85b377d
      Junio C Hamano authored
      While signed tags and commits assert that the objects thusly signed
      came from you, who signed these objects, there is not a good way to
      assert that you wanted to have a particular object at the tip of a
      particular branch.  My signing v2.0.1 tag only means I want to call
      the version v2.0.1, and it does not mean I want to push it out to my
      'master' branch---it is likely that I only want it in 'maint', so
      the signature on the object alone is insufficient.
      
      The only assurance to you that 'maint' points at what I wanted to
      place there comes from your trust on the hosting site and my
      authentication with it, which cannot easily audited later.
      
      Introduce a mechanism that allows you to sign a "push certificate"
      (for the lack of better name) every time you push, asserting that
      what object you are pushing to update which ref that used to point
      at what other object.  Think of it as a cryptographic protection for
      ref updates, similar to signed tags/commits but working on an
      orthogonal axis.
      
      The basic flow based on this mechanism goes like this:
      
       1. You push out your work with "git push --signed".
      
       2. The sending side learns where the remote refs are as usual,
          together with what protocol extension the receiving end
          supports.  If the receiving end does not advertise the protocol
          extension "push-cert", an attempt to "git push --signed" fails.
      
          Otherwise, a text file, that looks like the following, is
          prepared in core:
      
      	certificate version 0.1
      	pusher Junio C Hamano <[email protected]> 1315427886 -0700
      
      	7339ca65... 21580ecb... refs/heads/master
      	3793ac56... 12850bec... refs/heads/next
      
          The file begins with a few header lines, which may grow as we
          gain more experience.  The 'pusher' header records the name of
          the signer (the value of user.signingkey configuration variable,
          falling back to GIT_COMMITTER_{NAME|EMAIL}) and the time of the
          certificate generation.  After the header, a blank line follows,
          followed by a copy of the protocol message lines.
      
          Each line shows the old and the new object name at the tip of
          the ref this push tries to update, in the way identical to how
          the underlying "git push" protocol exchange tells the ref
          updates to the receiving end (by recording the "old" object
          name, the push certificate also protects against replaying).  It
          is expected that new command packet types other than the
          old-new-refname kind will be included in push certificate in the
          same way as would appear in the plain vanilla command packets in
          unsigned pushes.
      
          The user then is asked to sign this push certificate using GPG,
          formatted in a way similar to how signed tag objects are signed,
          and the result is sent to the other side (i.e. receive-pack).
      
          In the protocol exchange, this step comes immediately before the
          sender tells what the result of the push should be, which in
          turn comes before it sends the pack data.
      
       3. When the receiving end sees a push certificate, the certificate
          is written out as a blob.  The pre-receive hook can learn about
          the certificate by checking GIT_PUSH_CERT environment variable,
          which, if present, tells the object name of this blob, and make
          the decision to allow or reject this push.  Additionally, the
          post-receive hook can also look at the certificate, which may be
          a good place to log all the received certificates for later
          audits.
      
      Because a push certificate carry the same information as the usual
      command packets in the protocol exchange, we can omit the latter
      when a push certificate is in use and reduce the protocol overhead.
      This however is not included in this patch to make it easier to
      review (in other words, the series at this step should never be
      released without the remainder of the series, as it implements an
      interim protocol that will be incompatible with the final one).
      As such, the documentation update for the protocol is left out of
      this step.
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      a85b377d
  3. 06 Sep, 2011 1 commit
  4. 01 Aug, 2011 1 commit
  5. 11 Jul, 2011 1 commit
  6. 06 Jul, 2011 1 commit
    • Martin von Zweigbergk's avatar
      Documentation: use [verse] for SYNOPSIS sections · 7791a1d9
      Martin von Zweigbergk authored
      The SYNOPSIS sections of most commands that span several lines already
      use [verse] to retain line breaks. Most commands that don't span
      several lines seem not to use [verse]. In the HTML output, [verse]
      does not only preserve line breaks, but also makes the section
      indented, which causes a slight inconsistency between commands that
      use [verse] and those that don't. Use [verse] in all SYNOPSIS sections
      for consistency.
      
      Also remove the blank lines from git-fetch.txt and git-rebase.txt to
      align with the other man pages. In the case of git-rebase.txt, which
      already uses [verse], the blank line makes the [verse] not apply to
      the last line, so removing the blank line also makes the formatting
      within the document more consistent.
      
      While at it, add single quotes to 'git cvsimport' for consistency with
      other commands.
      Signed-off-by: default avatarMartin von Zweigbergk <[email protected]>
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      7791a1d9
  7. 11 Mar, 2011 1 commit
    • Jeff King's avatar
      doc: drop author/documentation sections from most pages · 48bb914e
      Jeff King authored
      The point of these sections is generally to:
      
        1. Give credit where it is due.
      
        2. Give the reader an idea of where to ask questions or
           file bug reports.
      
      But they don't do a good job of either case. For (1), they
      are out of date and incomplete. A much more accurate answer
      can be gotten through shortlog or blame.  For (2), the
      correct contact point is generally [email protected], and even if you
      wanted to cc the contact point, the out-of-date and
      incomplete fields mean you're likely sending to somebody
      useless.
      
      So let's drop the fields entirely from all manpages except
      git(1) itself. We already point people to the mailing list
      for bug reports there, and we can update the Authors section
      to give credit to the major contributors and point to
      shortlog and blame for more information.
      
      Each page has a "This is part of git" footer, so people can
      follow that to the main git manpage.
      48bb914e
  8. 10 Jan, 2010 1 commit
    • Thomas Rast's avatar
      Documentation: spell 'git cmd' without dash throughout · 0b444cdb
      Thomas Rast authored
      The documentation was quite inconsistent when spelling 'git cmd' if it
      only refers to the program, not to some specific invocation syntax:
      both 'git-cmd' and 'git cmd' spellings exist.
      
      The current trend goes towards dashless forms, and there is precedent
      in 647ac702 (git-svn.txt: stop using dash-form of commands.,
      2009-07-07) to actively eliminate the dashed variants.
      
      Replace 'git-cmd' with 'git cmd' throughout, except where git-shell,
      git-cvsserver, git-upload-pack, git-receive-pack, and
      git-upload-archive are concerned, because those really live in the
      $PATH.
      0b444cdb
  9. 25 Oct, 2009 1 commit
  10. 20 Dec, 2008 1 commit
  11. 05 Jul, 2008 1 commit
  12. 02 Jul, 2008 2 commits
    • Jonathan Nieder's avatar
      Documentation formatting and cleanup · 483bc4f0
      Jonathan Nieder authored
      Following what appears to be the predominant style, format
      names of commands and commandlines both as `teletype text`.
      
      While we're at it, add articles ("a" and "the") in some
      places, italicize the name of the command in the manual page
      synopsis line, and add a comma or two where it seems appropriate.
      Signed-off-by: default avatarJonathan Nieder <[email protected]>
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      483bc4f0
    • Jonathan Nieder's avatar
      Documentation: be consistent about "git-" versus "git " · b1889c36
      Jonathan Nieder authored
      Since the git-* commands are not installed in $(bindir), using
      "git-command <parameters>" in examples in the documentation is
      not a good idea. On the other hand, it is nice to be able to
      refer to each command using one hyphenated word. (There is no
      escaping it, anyway: man page names cannot have spaces in them.)
      
      This patch retains the dash in naming an operation, command,
      program, process, or action. Complete command lines that can
      be entered at a shell (i.e., without options omitted) are
      made to use the dashless form.
      
      The changes consist only of replacing some spaces with hyphens
      and vice versa. After a "s/ /-/g", the unpatched and patched
      versions are identical.
      Signed-off-by: default avatarJonathan Nieder <[email protected]>
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      b1889c36
  13. 06 Jun, 2008 1 commit
  14. 07 Jan, 2008 1 commit
    • Dan McGee's avatar
      Documentation: rename gitlink macro to linkgit · 5162e697
      Dan McGee authored
      Between AsciiDoc 8.2.2 and 8.2.3, the following change was made to the stock
      Asciidoc configuration:
      
      @@ -149,7 +153,10 @@
       # Inline macros.
       # Backslash prefix required for escape processing.
       # (?s) re flag for line spanning.
      -(?su)[\\]?(?P<name>\w(\w|-)*?):(?P<target>\S*?)(\[(?P<attrlist>.*?)\])=
      +
      +# Explicit so they can be nested.
      +(?su)[\\]?(?P<name>(http|https|ftp|file|mailto|callto|image|link)):(?P<target>\S*?)(\[(?P<attrlist>.*?)\])=
      +
       # Anchor: [[[id]]]. Bibliographic anchor.
       (?su)[\\]?\[\[\[(?P<attrlist>[\w][\w-]*?)\]\]\]=anchor3
       # Anchor: [[id,xreflabel]]
      
      This default regex now matches explicit values, and unfortunately in this
      case gitlink was being matched by just 'link', causing the wrong inline
      macro template to be applied. By renaming the macro, we can avoid being
      matched by the wrong regex.
      Signed-off-by: Dan McGee's avatarDan McGee <[email protected]>
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      5162e697
  15. 25 Aug, 2007 1 commit
  16. 02 Jul, 2007 1 commit
  17. 12 Mar, 2007 1 commit
    • Shawn O. Pearce's avatar
      Change {pre,post}-receive hooks to use stdin · f43cd49f
      Shawn O. Pearce authored
      Sergey Vlasov, Andy Parkins and Alex Riesen all pointed out that it
      is possible for a single invocation of receive-pack to be given more
      refs than the OS might allow us to pass as command line parameters
      to a single hook invocation.
      
      We don't want to break these up into multiple invocations (like
      xargs might do) as that makes it impossible for the pre-receive
      hook to verify multiple related ref updates occur at the same time,
      and it makes it harder for post-receive to send out a single batch
      notification.
      
      Instead we pass the reference data on a pipe connected to the
      hook's stdin, supplying one ref per line to the hook.  This way a
      single hook invocation can obtain an infinite amount of ref data,
      without bumping into any operating system limits.
      Signed-off-by: default avatarShawn O. Pearce <[email protected]>
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      f43cd49f
  18. 07 Mar, 2007 1 commit
    • Shawn O. Pearce's avatar
      Teach receive-pack to run pre-receive/post-receive hooks · 05ef58ec
      Shawn O. Pearce authored
      Bill Lear pointed out that it is easy to send out notifications of
      changes with the update hook, but successful execution of the update
      hook does not necessarily mean that the ref was actually updated.
      Lock contention on the ref or being unable to append to the reflog
      may prevent the ref from being changed.  Sending out notifications
      prior to the ref actually changing is very misleading.
      
      To help this situation I am introducing two new hooks to the
      receive-pack flow: pre-receive and post-receive.  These new hooks
      are invoked only once per receive-pack execution and are passed
      three arguments per ref (refname, old-sha1, new-sha1).
      
      The new post-receive hook is ideal for sending out notifications,
      as it has the complete list of all refnames that were successfully
      updated as well as the old and new SHA-1 values.  This allows more
      interesting notifications to be sent.  Multiple ref updates could
      be easily summarized into one email, for example.
      
      The new pre-receive hook is ideal for logging update attempts, as it
      is run only once for the entire receive-pack operation.  It can also
      be used to verify multiple updates happen at once, e.g. an update
      to the `maint` head must also be accompained by a new annotated tag.
      
      Lots of documentation improvements for receive-pack are included
      in this change, as we want to make sure the new hooks are clearly
      explained.
      Signed-off-by: default avatarShawn O. Pearce <[email protected]>
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      05ef58ec
  19. 18 Jan, 2007 1 commit
  20. 21 Sep, 2006 1 commit
  21. 21 Jun, 2006 1 commit
  22. 05 Dec, 2005 1 commit
  23. 10 Oct, 2005 1 commit
  24. 20 Sep, 2005 1 commit
  25. 03 Sep, 2005 1 commit
  26. 03 Aug, 2005 1 commit
  27. 01 Aug, 2005 1 commit
    • Josef Weidendorfer's avatar
      [PATCH] Added hook in git-receive-pack · b1bf95bb
      Josef Weidendorfer authored
      Just before updating a ref,
      
          $GIT_DIR/hooks/update refname old-sha1 new-sha1
      
      is called if executable.  The hook can decline the ref to be
      updated by exiting with a non-zero status, or allow it to be
      updated by exiting with a zero status.  The mechanism also
      allows e.g sending of a mail with pushed commits on the remote
      repository.
      
      Documentation update with an example hook is included.
      
      jc: The credits of the basic idea and initial implementation go
      to Josef, but I ended up rewriting major parts of his patch, so
      bugs are all mine.  Also I changed the semantics for the hook
      from his original version (which were post-update hook) so that
      the hook can optionally decline to update the ref, and also can
      be used to implement the overall cleanups.  The latter was
      primarily to implement a suggestion from Linus that calling
      update-server-info should be made optional.
      Signed-off-by: default avatarJunio C Hamano <[email protected]>
      b1bf95bb
  28. 14 Jul, 2005 1 commit