diff options
| author | Junio C Hamano <gitster@pobox.com> | 2014-08-14 15:59:21 -0700 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2014-09-15 13:23:28 -0700 |
| commit | d05b9618ce42e85936176537f939a4eb85d4d65e (patch) | |
| tree | 729f418364ffd20640fe5da3159e6c673c0c2769 /Documentation/git-receive-pack.txt | |
| parent | a85b377d0419a9dfaca8af2320cc33b051cbed04 (diff) | |
| download | git-d05b9618ce42e85936176537f939a4eb85d4d65e.tar.gz | |
receive-pack: GPG-validate push certificates
Reusing the GPG signature check helpers we already have, verify
the signature in receive-pack and give the results to the hooks
via GIT_PUSH_CERT_{SIGNER,KEY,STATUS} environment variables.
Policy decisions, such as accepting or rejecting a good signature by
a key that is not fully trusted, is left to the hook and kept
outside of the core.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'Documentation/git-receive-pack.txt')
| -rw-r--r-- | Documentation/git-receive-pack.txt | 24 |
1 files changed, 19 insertions, 5 deletions
diff --git a/Documentation/git-receive-pack.txt b/Documentation/git-receive-pack.txt index a2dd74376c..e6df234926 100644 --- a/Documentation/git-receive-pack.txt +++ b/Documentation/git-receive-pack.txt @@ -56,7 +56,21 @@ sha1-old and sha1-new should be valid objects in the repository. When accepting a signed push (see linkgit:git-push[1]), the signed push certificate is stored in a blob and an environment variable `GIT_PUSH_CERT` can be consulted for its object name. See the -description of `post-receive` hook for an example. +description of `post-receive` hook for an example. In addition, the +certificate is verified using GPG and the result is exported with +the following environment variables: + +`GIT_PUSH_CERT_SIGNER`:: + The name and the e-mail address of the owner of the key that + signed the push certificate. + +`GIT_PUSH_CERT_KEY`:: + The GPG key ID of the key that signed the push certificate. + +`GIT_PUSH_CERT_STATUS`:: + The status of GPG verification of the push certificate, + using the same mnemonic as used in `%G?` format of `git log` + family of commands (see linkgit:git-log[1]). This hook is called before any refname is updated and before any fast-forward checks are performed. @@ -106,13 +120,13 @@ the update. Refs that were created will have sha1-old equal to 0\{40}, otherwise sha1-old and sha1-new should be valid objects in the repository. -The `GIT_PUSH_CERT` environment variable can be inspected, just as +The `GIT_PUSH_CERT*` environment variables can be inspected, just as in `pre-receive` hook, after accepting a signed push. Using this hook, it is easy to generate mails describing the updates to the repository. This example script sends one mail message per ref listing the commits pushed to the repository, and logs the push -certificates of signed pushes to a logger +certificates of signed pushes with good signatures to a logger service: #!/bin/sh @@ -130,11 +144,11 @@ service: mail -s "Changes to ref $ref" commit-list@mydomain done # log signed push certificate, if any - if test -n "${GIT_PUSH_CERT-}" + if test -n "${GIT_PUSH_CERT-}" && test ${GIT_PUSH_CERT_STATUS} = G then ( git cat-file blob ${GIT_PUSH_CERT} - ) | mail -s "push certificate" push-log@mydomain + ) | mail -s "push certificate from $GIT_PUSH_CERT_SIGNER" push-log@mydomain fi exit 0 |