From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mike Gerwitz Subject: bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories Date: Sun, 7 Aug 2016 05:53:39 +0000 (UTC) Message-ID: <20160807-015339.sv88130.30875@savannah.gnu.org> References: <20160725-000945.sv15145.13702@savannah.gnu.org> <20160725-055142.sv744.4261@savannah.gnu.org> <20160725-055748.sv744.57487@savannah.gnu.org> <20160725-110023.sv15145.28291@savannah.gnu.org> Mime-Version: 1.0 Content-Type: text/plain;charset=UTF-8 Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:33166) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bWHFm-0001JP-PU for bug-guix@gnu.org; Sun, 07 Aug 2016 02:08:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bWHFj-0001K8-Hh for bug-guix@gnu.org; Sun, 07 Aug 2016 02:08:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:32784) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bWHFj-0001K4-E8 for bug-guix@gnu.org; Sun, 07 Aug 2016 02:08:03 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <20160725-110023.sv15145.28291@savannah.gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Bob Proulx , Ludovic =?UTF-8?Q?Court=C3=A8s?= , 22883@debbugs.gnu.org, savannah-help-public@gnu.org Follow-up Comment #4, sr #109104 (project administration): Unfortunately, this hook can be easily defeated. Here's some example output from the current tip of master: $ git cat-file -p HEAD tree c65e675351fe76b2630df24eddcb2449774eb344 parent e87c7ec2de815f05d7a84e2792e2da700bb26a38 author Leo Famulari 1470169005 -0400 committer Leo Famulari 1470538536 -0400 gpgsig -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJXpqMoAAoJECZG+jC6yn8Ihn8P+wfUhS5HOL7181KC8ZRdTFC5 5XjavRq/08LJzO2mxer1r5oVcWYuZAvnPKZltO1vdIp0ncvU40c4nmaNpQiB/w6B 8slSkqBsoCVE7GEKHoAWju7Rwwlqw4fUSgDWw5JpJ/3S2PhRj+tvy8o/wCeBEwTL c90yivRmpKZcdcRgSPHqhHhMJ7lIJxbvHKlb30SPz9vdQTj13EUeeyyJQc/7lu7D kUiUu9MOjC3o8dPE8E7otMnD51xfj8SNvs5h7cZAMByS0Qk06RwK+O5POkBlXUMV lVxgPJsC7LfqJJ/VGLb5uOIoXMUCGV3mzdDXA+Pe+xvTTGOT+8rNsPl7kwxAGYqC vPVrY1dC6CzRX8/7etvb99UHf2nx0NbYRAvetZzh9j6WBbMqGBgHMndRh6i6Y7Fl BioG+J22sXCQjf3ydRvjd8cznlfvBCTqo9zSqeoG7Ha/qSh1pX16KAUxLi1YGzK6 I79iqOEvpoxwS/9Ym+GB+4rLTimqhtDKN7v3XaQudJ8t6hMlGi+pqjiLhNI8q2c9 dd3RthLu+Zom4duwnGo0BJEVC+CDLYGcdiwCKOpLaI9KtQbCv6useALPBk5RKPHr pE1Y7nTmBw7Rxl2GuaNOH9x5cHOuULfWW+HLm3JSwTjD4cpAxnFDP7qYINSo7XGR HGWK/43B5syf6FhZws8N =h+H0 -----END PGP SIGNATURE----- gnu: Add python-pythondialog. * gnu/packages/python.scm (python-pythondialog): New variable. (python2-pythondialog): Inherit from PYTHON-PYTHONDIALOG. Co-authored-by: Vincent Legoll The hook currently greps for `^gpgsig '. It will indeed find a GPG signature if it exists, but to circumvent it, an attacker need only put `gpgsig' in the commit message at column 0---the commit messages aren't indented in the output. You can replace the entire loop in the hook with this: git log --pretty='%GK %h %s' "$rev_old^..$rev_new" \ | awk '/^ / { e=1 print "error: missing signature:" $0 > "/dev/stderr" } END { exit e }' If the commit is not signed, then `%GK` (GPG key id) will yield an empty string. Here's some example output (run with HEAD~15..): error: missing signature: 7ccb874 gnu: zsh: Move to shells.scm. error: missing signature: 7977d76 Update NEWS. _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/