2013-02-14 01:00:00 +01:00
|
|
|
# git-remote-gcrypt
|
2013-02-14 01:00:00 +01:00
|
|
|
# Copyright 2013 by Ulrik Sverdrup
|
2013-02-14 01:00:00 +01:00
|
|
|
# License: GPLv2 or any later version, see http://www.gnu.org/licenses/
|
2013-02-14 01:00:00 +01:00
|
|
|
# Use GnuPG to use encrypted git remotes
|
|
|
|
|
|
|
|
|
|
WARNING: This is a proof of concept
|
|
|
|
|
WARNING: Repository format WILL change, incompatibly
|
|
|
|
|
|
|
|
|
|
INTRODUCTION
|
2013-02-14 01:00:00 +01:00
|
|
|
|
2013-02-14 01:00:00 +01:00
|
|
|
Install as `git-remote-gcrypt` in $PATH
|
2013-02-14 01:00:00 +01:00
|
|
|
|
2013-02-14 01:00:00 +01:00
|
|
|
Supports local, ssh:// and sftp:// remotes at the moment,
|
|
|
|
|
as well as the special gitception://<giturl> remote type::
|
2013-02-14 01:00:00 +01:00
|
|
|
|
|
|
|
|
git config --global gcrypt.recipients KEYID1
|
2013-02-14 01:00:00 +01:00
|
|
|
git remote add gcryptrepo gcrypt::ssh://hostname.com:MyNewRepo
|
2013-02-14 01:00:00 +01:00
|
|
|
( or maybe:
|
2013-02-14 01:00:00 +01:00
|
|
|
git remote add gcryptrepo gcrypt::gitception://git://host.com/repo.git
|
|
|
|
|
)
|
2013-02-14 01:00:00 +01:00
|
|
|
git push --all gcryptrepo
|
2013-02-14 01:00:00 +01:00
|
|
|
|
2013-02-14 01:00:00 +01:00
|
|
|
CONFIGURATION
|
|
|
|
|
|
2013-02-14 01:00:00 +01:00
|
|
|
* You must set up a small gpg keyring for the repository::
|
2013-02-14 01:00:00 +01:00
|
|
|
|
2013-02-14 01:00:00 +01:00
|
|
|
gpg --export KEYID1 > <path-to-keyring>
|
|
|
|
|
git config gcrypt.keyring <path-to-keyring>
|
|
|
|
|
|
|
|
|
|
New repositories will be created to allow access for the keys in
|
|
|
|
|
`gcrypt.keyring`. The keyring is used to verify the authenticity of the
|
|
|
|
|
repository when it is read or written to.
|
|
|
|
|
|
|
|
|
|
* Set `git config gcrypt.signmanifest 1` to also sign the manifest (the
|
|
|
|
|
list of branches and packfiles) when pushing.
|
|
|
|
|
* Set `git config gcrypt.requiresign 1` to fail and stop if no valid
|
|
|
|
|
signature is found on the manifest.
|
2013-02-14 01:00:00 +01:00
|
|
|
|
|
|
|
|
* NOTE: We use the users gnupg configuration for cipher-algo and so on!
|
|
|
|
|
Configure your gnupg to use a strong crypto -- see `man gpg`.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
REPOSITORY FORMAT
|
|
|
|
|
|
2013-02-14 01:00:00 +01:00
|
|
|
* masterkey is first signed, then encrypted using `gpg -e` with hidden
|
|
|
|
|
recipients
|
|
|
|
|
* manifest contains the branches and the list of packfiles
|
2013-02-14 01:00:00 +01:00
|
|
|
|
|
|
|
|
$ cd MyCryptedRemote
|
|
|
|
|
$ ls
|
|
|
|
|
-rw-- 11K 00ef27cc2c5b76365e1a46479ed7429e16572c543cdff0a8bf745c7c
|
|
|
|
|
-rw-- 41K b934d8d6c0f48e71b9d7a4d5ea56f024a9bed4f6f2c6f8e688695bee
|
|
|
|
|
-rw-- 577 manifest
|
|
|
|
|
-rw-- 495 masterkey
|
|
|
|
|
|
|
|
|
|
$ gpg -d masterkey | gpg --passphrase-fd 0 -d manifest
|
|
|
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
2013-02-14 01:00:00 +01:00
|
|
|
Hash: SHA512
|
2013-02-14 01:00:00 +01:00
|
|
|
|
|
|
|
|
b4a4a39365d19282810c19d0f3f24d04dd2d179f refs/tags/something
|
|
|
|
|
1d323ddadf4cf1d80fced447e637ab3766b168b7 refs/heads/master
|
|
|
|
|
pack :SHA224:00ef27cc2c5b76365e1a46479ed7429e16572c543cdff0a8bf745c7c
|
|
|
|
|
pack :SHA224:b934d8d6c0f48e71b9d7a4d5ea56f024a9bed4f6f2c6f8e688695bee
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
|
Version: GnuPG v1.4.12 (GNU/Linux)
|
|
|
|
|
|
|
|
|
|
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
|
|
|
|
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
|
|
|
|
XXXXX
|
|
|
|
|
-----END PGP SIGNATURE-----
|
|
|
|
|
|
