"git push --signed"
20 views
Skip to first unread message
Sitaram Chamarty
Dec 29, 2014, 3:20:39 AM12/29/14
to Gitolite Google Groups, gitolite...@googlegroups.com
Git 2.2 onwards has a "--signed" option to the push command.
With inputs and ideas from Junio, I've written some simple code that
records all the certificate blobs (see "BACKGROUND" section below for
details) into a special ref ("refs/push-certs").
Please note that this really has nothing to do with gitolite per se;
the code can be used in a non-gitolite installation with very little
change.
It's pretty well commented so I'd appreciate feedback.
regards
sitaram
----------------------------------------------------------------------
BACKGROUND
----------
Git on the server side deals with push certs as documented in "man
git-receive-pack"; of our interest is the fact that an environment
variable called GIT_PUSH_CERT is made available to the pre- and post-
receive hooks. This contains the SHA of a blob, which contains the
actual certificate text.
An example certificate may look like this:
certificate version 0.1
pusher C O Mitter <comm...@example.com> 1419238097 +0530
pushee /home/glt/b
nonce 1419238097-3cb8bb5a9c717d35982d
f514fc30baacd1283f69d090a320936b52e99e23 56ebf02ec195ddf3a73fad36776da443f5e08beb refs/heads/master
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAlSX2tEACgkQE7b1Hs3eQw2pTACfYcOy1FztL8U3kERcnlgdEnpn
ZVIAoOJKbizf+hw/1LmoImNcciNmhGbH
=K95F
-----END PGP SIGNATURE-----
However, these cert blobs are not saved or processed by git itself, in
any way. Left alone, they will eventually get GC-ed.
This program is about making them part of the permanent record in some
way.
With inputs and ideas from Junio, I've written some simple code that
records all the certificate blobs (see "BACKGROUND" section below for
details) into a special ref ("refs/push-certs").
Please note that this really has nothing to do with gitolite per se;
the code can be used in a non-gitolite installation with very little
change.
It's pretty well commented so I'd appreciate feedback.
regards
sitaram
----------------------------------------------------------------------
BACKGROUND
----------
Git on the server side deals with push certs as documented in "man
git-receive-pack"; of our interest is the fact that an environment
variable called GIT_PUSH_CERT is made available to the pre- and post-
receive hooks. This contains the SHA of a blob, which contains the
actual certificate text.
An example certificate may look like this:
certificate version 0.1
pusher C O Mitter <comm...@example.com> 1419238097 +0530
pushee /home/glt/b
nonce 1419238097-3cb8bb5a9c717d35982d
f514fc30baacd1283f69d090a320936b52e99e23 56ebf02ec195ddf3a73fad36776da443f5e08beb refs/heads/master
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAlSX2tEACgkQE7b1Hs3eQw2pTACfYcOy1FztL8U3kERcnlgdEnpn
ZVIAoOJKbizf+hw/1LmoImNcciNmhGbH
=K95F
-----END PGP SIGNATURE-----
However, these cert blobs are not saved or processed by git itself, in
any way. Left alone, they will eventually get GC-ed.
This program is about making them part of the permanent record in some
way.
Reply all
Reply to author
Forward
0 new messages