From: Mike Gerwitz <INVALID.NOREPLY@gnu.org>
To: "Bob Proulx" <bob@proulx.com>, "Ludovic Courtès" <ludo@gnu.org>,
22883@debbugs.gnu.org, savannah-help-public@gnu.org
Subject: bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories
Date: Sun, 7 Aug 2016 05:53:39 +0000 (UTC) [thread overview]
Message-ID: <20160807-015339.sv88130.30875@savannah.gnu.org> (raw)
In-Reply-To: <20160725-110023.sv15145.28291@savannah.gnu.org>
Follow-up Comment #4, sr #109104 (project administration):
Unfortunately, this hook can be easily defeated. Here's some example output
from the current tip of master:
$ git cat-file -p HEAD
tree c65e675351fe76b2630df24eddcb2449774eb344
parent e87c7ec2de815f05d7a84e2792e2da700bb26a38
author Leo Famulari <leo@famulari.name> 1470169005 -0400
committer Leo Famulari <leo@famulari.name> 1470538536 -0400
gpgsig -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJXpqMoAAoJECZG+jC6yn8Ihn8P+wfUhS5HOL7181KC8ZRdTFC5
5XjavRq/08LJzO2mxer1r5oVcWYuZAvnPKZltO1vdIp0ncvU40c4nmaNpQiB/w6B
8slSkqBsoCVE7GEKHoAWju7Rwwlqw4fUSgDWw5JpJ/3S2PhRj+tvy8o/wCeBEwTL
c90yivRmpKZcdcRgSPHqhHhMJ7lIJxbvHKlb30SPz9vdQTj13EUeeyyJQc/7lu7D
kUiUu9MOjC3o8dPE8E7otMnD51xfj8SNvs5h7cZAMByS0Qk06RwK+O5POkBlXUMV
lVxgPJsC7LfqJJ/VGLb5uOIoXMUCGV3mzdDXA+Pe+xvTTGOT+8rNsPl7kwxAGYqC
vPVrY1dC6CzRX8/7etvb99UHf2nx0NbYRAvetZzh9j6WBbMqGBgHMndRh6i6Y7Fl
BioG+J22sXCQjf3ydRvjd8cznlfvBCTqo9zSqeoG7Ha/qSh1pX16KAUxLi1YGzK6
I79iqOEvpoxwS/9Ym+GB+4rLTimqhtDKN7v3XaQudJ8t6hMlGi+pqjiLhNI8q2c9
dd3RthLu+Zom4duwnGo0BJEVC+CDLYGcdiwCKOpLaI9KtQbCv6useALPBk5RKPHr
pE1Y7nTmBw7Rxl2GuaNOH9x5cHOuULfWW+HLm3JSwTjD4cpAxnFDP7qYINSo7XGR
HGWK/43B5syf6FhZws8N
=h+H0
-----END PGP SIGNATURE-----
gnu: Add python-pythondialog.
* gnu/packages/python.scm (python-pythondialog): New variable.
(python2-pythondialog): Inherit from PYTHON-PYTHONDIALOG.
Co-authored-by: Vincent Legoll <vincent.legoll@idgrilles.fr>
The hook currently greps for `^gpgsig '. It will indeed find a GPG signature
if it exists, but to circumvent it, an attacker need only put `gpgsig' in the
commit message at column 0---the commit messages aren't indented in the
output.
You can replace the entire loop in the hook with this:
git log --pretty='%GK %h %s' "$rev_old^..$rev_new" \
| awk '/^ / {
e=1
print "error: missing signature:" $0 > "/dev/stderr"
}
END { exit e }'
If the commit is not signed, then `%GK` (GPG key id) will yield an empty
string.
Here's some example output (run with HEAD~15..):
error: missing signature: 7ccb874 gnu: zsh: Move to shells.scm.
error: missing signature: 7977d76 Update NEWS.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?109104>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
next prev parent reply other threads:[~2016-08-07 6:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-24 22:09 bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories Ludovic Courtès
2016-07-24 22:51 ` Bob Proulx
2016-07-24 22:57 ` Bob Proulx
2016-07-25 9:00 ` Ludovic Courtès
2016-08-07 5:53 ` Mike Gerwitz [this message]
2016-08-17 9:38 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160807-015339.sv88130.30875@savannah.gnu.org \
--to=invalid.noreply@gnu.org \
--cc=22883@debbugs.gnu.org \
--cc=bob@proulx.com \
--cc=ludo@gnu.org \
--cc=savannah-help-public@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).