Use manifest file for master key, branches and packs (REPO FORMAT CHANGE)

2013-02-14 00:00:00 +00:00 · 2013-02-14 00:00:00 +00:00 · 1518e3619e
commit 1518e3619e
parent 0a722b2493
2 changed files with 112 additions and 165 deletions
--- a/56
+++ b/56
@ -39,28 +39,23 @@ CONFIGURATION
 + NOTE: We use the user's gnupg configuration for `cipher-algo` and so on!
         Configure your gnupg to use strong crypto -- see `man gpg`.
 + Set `git config gcrypt.signmanifest 1` to also sign the manifest (the
   list of branches and packfiles) when pushing. This is optional and
   using signed git tags might be an alternative.
 + Set `git config gcrypt.requiresign 1` to fail and stop if no valid
   signature is found on the manifest.
 REPOSITORY FORMAT
- + The masterkey is first signed, then encrypted using `gpg -e` with
+ + The manifest is signed+encrypted using `gpg -se` (with hidden recipients)
-   hidden recipients and stored on the remote.
+   and stored on the remote.
- + The manifest contains the list of branches and packfiles, and an
+ + The manifest contains the list of branches and packfiles.
   optional signature
    $ cd MyCryptedRemote
    $ ls 
-    -rw--  11K 00ef27cc2c5b76365e1a46479ed7429e16572c543cdff0a8bf745c7c
+    -rw-- 11K 00ef27cc2c5b76365e1a46479ed7429e16572c543cdff0a8bf745c7c
-    -rw--  41K b934d8d6c0f48e71b9d7a4d5ea56f024a9bed4f6f2c6f8e688695bee
+    -rw-- 41K b934d8d6c0f48e71b9d7a4d5ea56f024a9bed4f6f2c6f8e688695bee
-    -rw--  577 manifest
+    -rw-- 577 manifest
    -rw-- 1.3K masterkey
-    $ gpg -d masterkey | gpg -d | gpg --passphrase-fd 0 -d manifest
+    $ gpg -d manifest
    T+pCUr/1FxbBC93ABIiIgG36EgqaxvgdNYjdmRSueGkgGETc4Qs7di+/yIsq2R5GysiqFaR0 \
    bGSWf9omsoAH84hmED/kR/ZQiOGT/vg2Pg7CGI0xzdlW9GQjeFBAo4vsDDDBxrn5L7F9E532 \
    LOnnPLSIZD7BpmyY/oZiXoP5Vlw=
    b4a4a39365d19282810c19d0f3f24d04dd2d179f refs/tags/something
    1d323ddadf4cf1d80fced447e637ab3766b168b7 refs/heads/master
    pack :SHA224:00ef27cc2c5b76365e1a46479ed7429e16572c543cdff0a8bf745c7c
@ -69,21 +64,24 @@ REPOSITORY FORMAT
 + Protocol sketch
-   gpg -c is symmetric encryption, for example AES
+   EncSign(X) is sign+encrypting to a PGP key holder
-   gpg -e is encrypting to a PGP key holder
+   Encrypt(K,X) is symmetric encryption
   gpg -s adds a signature
-   master key M, generated once, 128 bytes
+   K: master key, generated once, 128 bytes
-   file `masterkey' contains   cat M | gpg -s | gpg -e > `masterkey'
+   B: branch list
-   manifest and packfiles are encrypted    cat FILE | gpg -c --passphrase M
+   L: list of packfiles and hashes
   Store Manifest as EncSign(K || B || L)
   Each packfile P is stored as P' = Encrypt(K,P) and named SHA224(P')
   L is the list of names of P'.
   To read repository
   decrypt  cat `masterkey' | gpg -d | gpg --verify > M
   decrypt  cat FILE.crypt  | gpg -d --passphrase M
-   The masterkey is decrypted and its signature is verified before
+   To read the repository
-   reading or writing of any other file. Only packs mentioned in `manifest`
+
-   are downloaded.
+   decrypt+verify Manifest using private key -> (K, B, L)
-   Pack hashes are verified when fetched. The filename is simply the hash
+   for each packfile P' in L:
-   of the packfile.
+       verify  P' matches its hash
       decrypt P' using K -> P -> open P with git
   Only packs mentioned in L are downloaded.
--- a/221
+++ b/221
@ -9,22 +9,12 @@
 #set -x
 set -e
 genkey()
 {
 	gpg --armor --gen-rand 1 128 | tr -d \\n
 }
 pack_hash()
 {
 	local HASH=$(gpg --with-colons --print-md SHA224 | tr A-F a-f)
 	HASH=${HASH#:*:}; printf "%s" "${HASH%:}"
 }
 LOCALDIR="${GIT_DIR:-.git}/remote-gcrypt"
 DID_FIND_REPO=  # yes for connected, no for no repo
-PACKPFX="pack :SHA224:"
+LOCALDIR="${GIT_DIR:-.git}/remote-gcrypt"
 export GITCEPTION="$GITCEPTION+" # Reuse $GREF except when stacked
-GREF="refs/gcrypt/gitception.$GITCEPTION"
+GREF="refs/gcrypt/gitception$GITCEPTION"
 MANIFESTFILE=5e4a937219be20f8a9a16ae7b35a83db0c16ce501d27b231dbad6586
 PACKPFX="pack :SHA224:"
 isurl() { test -z "${2%%$1://*}" ; }
@ -74,9 +64,9 @@ update_tree()
 # depends on previous GET to set $GREF and depends on PUT_FINAL later
 gitception_put()
 {
-	OBJID=$(git hash-object -w --stdin) && \
+	OBJID=$(git hash-object -w --stdin) &&
 		TREEID=$(update_tree "$GREF" "$2" "$OBJID") &&
-		COMMITID=$(anon_commit "$TREEID" -m "x") && \
+		COMMITID=$(anon_commit "$TREEID" -m "x") &&
 		git update-ref "$GREF" "$COMMITID"
 }
 ## end gitception
@ -157,59 +147,53 @@ CLEAN_FINAL()
 ENCRYPT()
 {
-	# Security protocol:
+	(printf "%s" "$MASTERKEY" |
 	# Symmetric encryption using the long MASTERKEY.
 	(printf "%s" "$MASTERKEY" | \
 		gpg --batch --force-mdc --compress-algo none \
 			--passphrase-fd 0 --output - -c /dev/fd/3) 3<&0
 }
 DECRYPT()
 {
-	(printf "%s" "$MASTERKEY" | \
+	(printf "%s" "$MASTERKEY" |
 		gpg -q --batch --no-default-keyring --secret-keyring /dev/null \
 			--keyring /dev/null \
 			--passphrase-fd 0 --output - -d /dev/fd/3) 3<&0
 }
-CLEARSIGN()
+# Encrypt to recipients $1
 PRIVENCRYPT()
 {
-	if [ "$CONF_SIGN_MANIFEST" = "true" ]
+	gpg --no-default-keyring --keyring "$CONF_KEYRING" \
-	then
+		--compress-algo none -se $1
 		echo_info "Requesting manifest signature for push"
 		gpg --output - --clearsign
 	else
 		cat
 	fi
 }
 # Require both gpg success and status word $1
 gpg_check_status()
 {
 	local STATUS
 	local ARG
 	ARG=$1 ; shift;
 	STATUS=$(gpg --status-fd 3 "$@" 3>&1 1>&4) 4>&1 &&
 		printf "%s" "$STATUS" | grep "^\[GNUPG:\] $ARG " >/dev/null
 }
 VERIFYSIGN()
 {
 	gpg_check_status "GOODSIG" -q --batch --no-default-keyring \
 		--secret-keyring /dev/null --keyring "$CONF_KEYRING" -d
 }
 PRIVDECRYPT()
 {
-	gpg_check_status "ENC_TO" -q -d
+	local STATUS
 	STATUS=$(gpg --no-default-keyring --keyring "$CONF_KEYRING" \
 		--status-fd 3 -q -d 3>&1 1>&4) 4>&1 &&
 	printf "%s" "$STATUS" | grep "^\[GNUPG:\] ENC_TO " >/dev/null &&
 	(printf "%s" "$STATUS" | grep "^\[GNUPG:\] GOODSIG " >/dev/null || {
 		echo_info "Failed to verify manifest signature!" && return 1
 	})
 }
 genkey()
 {
 	gpg --armor --gen-rand 1 128 | tr -d \\n
 }
 pack_hash()
 {
 	local HASH=$(gpg --with-colons --print-md SHA224 | tr A-F a-f)
 	HASH=${HASH#:*:}; printf "%s" "${HASH%:}"
 }
 # Append $2 to $1 with a newline separator
 append()
 {
-	[ -n "$1" ] && printf "%s\n" "$1" || :
+	[ -z "$1" ] || printf "%s\n" "$1" && printf "%s\n" "$2"
 	printf "%s\n" "$2"
 }
 xgrep() { command grep "$@" || : ; }
@ -217,18 +201,12 @@ sort_C() { LC_ALL=C command sort "$@"; }
 tac() { sed '1!G;h;$!d'; }
 echo_info() { echo "gcrypt:" "$@" >&2; }
-make_new_repo()
+check_recipients()
 {
 	# Security protocol:
 	# The MASTERKEY is encrypted to all RECIPIENTS. The key is a long
 	# ascii-encoded string used for symmetric encryption with GnuPG.
 	local RECIPIENTS
 	local KEYSIGN
 	echo_info "Setting up new repository at $URL"
 	RECIPIENTS="$(gpg --no-default-keyring --keyring "$CONF_KEYRING" \
-		--with-colons -k | xgrep ^pub | cut -f5 -d:)"
+		--with-colons -k | xgrep ^pub | cut -f5 -d: | tr '\n' ' ')"
 	# Split recipients by space, example "a b c" =>  -R a -R b -R c
-	RECIPIENTS=$(printf "%s" $RECIPIENTS | sed -e 's/\([^ ]\+\)/-R &/g')
+	RECIPIENTS=$(printf "%s" "$RECIPIENTS" | sed -e 's/\([^ ]\+\)/-R &/g')
 	if [ -z "$RECIPIENTS" ]
 	then
 		echo_info "You must configure a keyring for the repository."
@ -237,94 +215,52 @@ make_new_repo()
 		echo_info "  git config gcrypt.keyring <path-to-keyring>"
 		exit 1
 	fi
 	PUTREPO "$URL"
 	echo_info "Generating master key"
 	echo_info "Requesting master key signature"
 	MASTERKEY="$(genkey)"
 	KEYSIGN=$(printf "%s\n" "$MASTERKEY" | gpg --output - --clearsign)
 	TMPMASTERKEY_ENC="$LOCALDIR/masterenc.$$"
 	trap 'rm -f "$TMPMASTERKEY_ENC"' EXIT
 	echo_info "Encrypting masterkey to \"$RECIPIENTS\""
 	printf "%s" "$KEYSIGN" | gpg --batch --no-default-keyring \
 		--secret-keyring /dev/null --keyring "$CONF_KEYRING" \
 		--compress-algo none -e $RECIPIENTS > "$TMPMASTERKEY_ENC"
 	PUT "$URL" masterkey < "$TMPMASTERKEY_ENC"
 	rm -f "$TMPMASTERKEY_ENC"
 	trap EXIT
 }
-get_masterkey()
+make_new_repo()
 {
-	# The master key and its clearsigned versions are safe to keep
+	echo_info "Setting up new repository at $URL"
-	# as text in variables
+	PUTREPO "$URL"
-	local MASTERKEYDEC
+	echo_info "Generating master key"
-	TMPMASTERKEY_ENC="$LOCALDIR/masterenc.$$"
+	MASTERKEY="$(genkey)"
 	trap 'rm -f "$TMPMASTERKEY_ENC"' EXIT
 	GET "$URL" masterkey 2>/dev/null > "$TMPMASTERKEY_ENC" || return 0
 	MASTERKEYDEC=$(PRIVDECRYPT < "$TMPMASTERKEY_ENC") || {
 		echo_info "Decryption of master key failed!"
 		exit 1
 	}
 	echo_info "Verifying master key signature"
 	printf "%s" "$MASTERKEYDEC" | VERIFYSIGN || {
 		echo_info "Failed to verify master key signature!"
 		echo_info "Using keyring $CONF_KEYRING"
 		if [ "$CONF_KEYRING" = "/dev/null" ] ; then
 		echo_info "Please configure gcrypt.keyring"
 		fi
 		exit 1
 	}
 	rm -f "$TMPMASTERKEY_ENC"
 	trap EXIT
 }
 read_config()
 {
 	CONF_SIGN_MANIFEST=$(git config --bool gcrypt.signmanifest || :)
 	CONF_REQUIRE_SIGN=$(git config --bool gcrypt.requiresign || :)
 	CONF_KEYRING=$(git config --path gcrypt.keyring || printf "/dev/null")
 }
 ensure_connected()
 {
-	local MANIFESTDATA
+	local MANIFEST
 	local STRIPDATA
 	if [ -n "$DID_FIND_REPO" ]
 	then
 		return
 	fi
-	DID_FIND_REPO=yes
+	DID_FIND_REPO=no
 	read_config
-	MASTERKEY="$(get_masterkey)"
+	TMPMANIFEST_ENC="$LOCALDIR/manifest.$$"
-	if [ -z "$MASTERKEY" ]
+	trap 'rm -f "$TMPMANIFEST_ENC"' EXIT
-	then
+	GET "$URL" "$MANIFESTFILE" 2>/dev/null > "$TMPMANIFEST_ENC" || return 0
-		DID_FIND_REPO=no
+
-		return
+	DID_FIND_REPO=yes
-	fi
+	echo_info "Decrypting manifest"
-	MANIFESTDATA="$(GET "$URL" manifest | DECRYPT)"
+	MANIFEST=$(PRIVDECRYPT < "$TMPMANIFEST_ENC") && [ -n "$MANIFEST" ] || {
-	if [ "$CONF_REQUIRE_SIGN" = true -o -z "${MANIFESTDATA##-----BEGIN*}" ]
+		echo_info "Failed to decrypt manifest!"
-	then
+		echo_info "Using keyring $CONF_KEYRING"
-		# Use gpg to verify and strip the signature
+		if [ "$CONF_KEYRING" = "/dev/null" ] ; then
-		echo_info "Verifying manifest signature"
+			echo_info "NOTE: Please configure gcrypt.keyring"
-		STRIPDATA="$(printf "%s" "$MANIFESTDATA" | VERIFYSIGN || {
+		fi
-			echo_info "WARNING: Failed to verify manifest signature"
+		exit 1
-			echo_info "WARNING: Using keyring $CONF_KEYRING"
+	}
-			if [ "$CONF_KEYRING" = "/dev/null" ] ; then
+	rm -f "$TMPMANIFEST_ENC"
-			echo_info "WARNING: Please configure gcrypt.keyring"
+	trap EXIT
-			fi
+	MASTERKEY=$(printf "%s\n" "$MANIFEST" | head -n 1)
-			if [ "$CONF_REQUIRE_SIGN" = "true" ] ; then
+	BRANCHLIST=$(printf "%s\n" "$MANIFEST" | xgrep -E '^[0-9a-f]{40} ')
-			echo_info "Exiting per gcrypt.requiresign" && exit 1
+	PACKLIST=$(printf "%s\n" "$MANIFEST" | xgrep "^$PACKPFX")
 			fi
 			}
 		)"
 		[ -n "$STRIPDATA" ] && MANIFESTDATA=$STRIPDATA || :
 	fi
 	[ -n "$MANIFESTDATA" ] || exit 1
 	BRANCHLIST=$(printf "%s\n" "$MANIFESTDATA" | xgrep -E '^[0-9a-f]{40}')
 	PACKLIST=$(printf "%s\n" "$MANIFESTDATA" | xgrep "^$PACKPFX")
 }
 do_capabilities()
@ -392,7 +328,7 @@ do_fetch()
 			echo_info "Packfile $PACK does not match digest!"
 			exit 1
 		fi
-		DECRYPT < "$TMPPACK_ENCRYPTED" | \
+		DECRYPT < "$TMPPACK_ENCRYPTED" |
 			git index-pack -v --stdin >/dev/null
 		# add to local pack list
 		printf "$PACKPFX%s\n" "$PACK">>"$LOCALDIR/have_packs$GITCEPTION"
@ -416,6 +352,7 @@ do_push()
 	local prefix_
 	local suffix_
 	ensure_connected
 	check_recipients
 	if [ "$DID_FIND_REPO" = "no" ]
 	then
@ -439,7 +376,8 @@ do_push()
 		if [ -n "$prefix_" ]
 		then
 			printf "%s " "$prefix_"
-			printf "%s %s\n" "$(git rev-parse "$prefix_")" "$suffix_" >> "$TMPMANIFEST"
+			printf "%s %s\n" "$(git rev-parse "$prefix_")" \
 				"$suffix_" >> "$TMPMANIFEST"
 		# else delete
 		fi
 	done)"
@ -460,12 +398,27 @@ do_push()
 		PUT "$URL" "$PACKID" < "$TMPPACK_ENCRYPTED"
 	fi
-	# Put new manifest
+	rm -f "$TMPPACK_ENCRYPTED"
-	SIGNMANIFEST=$(printf "%s\n%s\n" "$BRANCHLIST" "$PACKLIST" | CLEARSIGN)
+	rm -f "$TMPMANIFEST"
-	printf "%s\n" "$SIGNMANIFEST" | ENCRYPT | PUT "$URL" "manifest"
+	rm -f "$TMPOBJLIST"
 	trap EXIT
 	# Update manifest
 	echo_info "Encrypting manifest to \"$RECIPIENTS\""
 	echo_info "Requesting manifest key signature"
 	TMPMANIFEST_ENC="$LOCALDIR/manifest.$$"
 	trap 'rm -f "$TMPMANIFEST_ENC"' EXIT
 	printf "%s\n%s\n%s\n" "$MASTERKEY" "$BRANCHLIST" "$PACKLIST" |
 		PRIVENCRYPT "$RECIPIENTS" > "$TMPMANIFEST_ENC"
 	PUT "$URL" "$MANIFESTFILE" < "$TMPMANIFEST_ENC"
 	PUT_FINAL "$URL"
 	rm -f "$TMPMANIFEST_ENC"
 	trap EXIT
 	# ok all updates (not deletes)
 	printf "%s\n" "$1" | while read LINE
 	do
@ -479,19 +432,15 @@ do_push()
 		fi
 	done
 	rm -f "$TMPPACK_ENCRYPTED"
 	rm -f "$TMPMANIFEST"
 	rm -f "$TMPOBJLIST"
 	trap EXIT
 	echo 
 }
 # Main program, check $URL is supported
 NAME=$1
 URL=$2
-( isurl ssh "$URL" || isurl sftp "$URL" || isurl gitception "$URL" || \
+( isurl ssh "$URL" || isurl sftp "$URL" ||
-	test -z ${URL##/*} ) || \
+	isurl gitception "$URL" || test -z ${URL##/*} ) || {
-	{ echo_info "Supported URLs: gitception://<giturl>, Absolute path, sftp://, ssh://" ; exit 1 ; }
+	echo_info "Supported URLs: gitception://<giturl>, Absolute path, sftp://, ssh://" && exit 1 ; }
 mkdir -p "$LOCALDIR"