Re: git signed push server-side
- Date: Fri, 25 Aug 2017 18:01:19 -0700
- From: Junio C Hamano <gitster@xxxxxxxxx>
- Subject: Re: git signed push server-side
Jonathan Nieder <jrnieder@xxxxxxxxx> writes:
> +Dave Borowitz, who implemented push cert handling in JGit and Gerrit
> Hi Ian,
> Ian Jackson wrote:
>> I have been investigating git signed pushes. I found a number of
>> infelicities in the server side implementation which make using this
>> in practice rather difficult. I'm emailing here (before writing
>> patches) to see what people think of my proposed changes.
>> 1. PUSH_CERT_KEY has truncated keyid (Debian #852647)
>> I see this:
>> There is almost no purpose for which this 64-bit keyid can be safely
>> used. The full key fingerprint should be provided instead.
>> Proposed change: provide the full fingerprint instead. Do this
>> for every caller of gpg-interface.c.
> Sounds sane.
I probably should react a bit stronger against that "instead", as
Ian will not be writing the world's first server side hook that uses
this interface. A different variable that lets you read the full
length "in addition" I wouldn't have a problem with, as existing
scripts will continue working the same way if you did so.
But on the other hand, the value of this environment is not meant to
be used to make decision by the hook anyway, so it perhaps is OK to
change it in a backward incompatible way to break those who have
been using the value for any serious purpose.
The purpose of the signed push is not to replace authentication and
authorization. The primary goal behind the signed push mechanism is
to allow server side hook to implement a way to store these certs in
the order it receives without losing them, and that gives a way for
the server operators to protect against claims that they are showing
what the pusher did not intend to publish. They can say "the tip of
these branches are at this commit, because, see this, a signed cert
by the pusher asking us to put these commits at these branches" with
such a mechanism---as opposed to "we authenticated the user and here
is our server log that says that user pushed to update these refs",
which is much weaker claim that they can make without the signed