Allow signing of the manifest file, and verifying signatures
This commit is contained in:
root
parent
8d5da3bc7e
commit
2be10d3dbf
1 changed files with 38 additions and 3 deletions
|
|
@ -7,6 +7,8 @@
|
||||||
# Requires GnuPG
|
# Requires GnuPG
|
||||||
#
|
#
|
||||||
# We read git config gcrypt.recipients when creating new repositories
|
# We read git config gcrypt.recipients when creating new repositories
|
||||||
|
# git config gcrypt.signmanifest
|
||||||
|
# git config gcrypt.requiresign
|
||||||
|
|
||||||
#set -x
|
#set -x
|
||||||
set -e
|
set -e
|
||||||
|
|
@ -92,6 +94,17 @@ ENCRYPT()
|
||||||
--passphrase-fd 0 --output - -c /dev/fd/3) 3<&0
|
--passphrase-fd 0 --output - -c /dev/fd/3) 3<&0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
CLEARSIGN()
|
||||||
|
{
|
||||||
|
if [ "$CONF_SIGN_MANIFEST" = "true" ]
|
||||||
|
then
|
||||||
|
echo_info "Signing new manifest"
|
||||||
|
gpg --output - --clearsign
|
||||||
|
else
|
||||||
|
cat
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
DECRYPT()
|
DECRYPT()
|
||||||
{
|
{
|
||||||
(printf "%s" "$MASTERKEY" | \
|
(printf "%s" "$MASTERKEY" | \
|
||||||
|
|
@ -131,15 +144,24 @@ make_new_repo()
|
||||||
gpg --compress-algo none -e $RECIPIENTS | PUT "$URL" masterkey
|
gpg --compress-algo none -e $RECIPIENTS | PUT "$URL" masterkey
|
||||||
}
|
}
|
||||||
|
|
||||||
|
read_config()
|
||||||
|
{
|
||||||
|
CONF_SIGN_MANIFEST=$(git config --bool gcrypt.signmanifest || :)
|
||||||
|
CONF_REQUIRE_SIGN=$(git config --bool gcrypt.requiresign || :)
|
||||||
|
}
|
||||||
|
|
||||||
ensure_connected()
|
ensure_connected()
|
||||||
{
|
{
|
||||||
local MANIFESTDATA
|
local MANIFESTDATA
|
||||||
|
local STRIPDATA
|
||||||
|
|
||||||
if [ -n "$DID_FIND_REPO" ]
|
if [ -n "$DID_FIND_REPO" ]
|
||||||
then
|
then
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
DID_FIND_REPO=yes
|
DID_FIND_REPO=yes
|
||||||
|
read_config
|
||||||
|
|
||||||
MASTERKEY="$(get_masterkey)"
|
MASTERKEY="$(get_masterkey)"
|
||||||
if [ -z "$MASTERKEY" ]
|
if [ -z "$MASTERKEY" ]
|
||||||
then
|
then
|
||||||
|
|
@ -147,6 +169,19 @@ ensure_connected()
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
MANIFESTDATA="$(GET_OR_EMPTY "$URL" manifest | DECRYPT)"
|
MANIFESTDATA="$(GET_OR_EMPTY "$URL" manifest | DECRYPT)"
|
||||||
|
if [ -n "$MANIFESTDATA" -a \( "$CONF_REQUIRE_SIGN" = true -o \
|
||||||
|
-z "${MANIFESTDATA##-----BEGIN*}" \) ]
|
||||||
|
then
|
||||||
|
# Use gpg to verify and strip the signature
|
||||||
|
echo_info "Verifying manifest signature"
|
||||||
|
STRIPDATA=$(printf "%s" "$MANIFESTDATA" | gpg || {
|
||||||
|
echo_info "WARNING: Failed to verify signature from $URL"
|
||||||
|
[ "$CONF_REQUIRE_SIGN" = "true" ] && \
|
||||||
|
echo_info "Exiting per gcrypt.requiresign" && exit 1
|
||||||
|
}
|
||||||
|
)
|
||||||
|
[ -n "$STRIPDATA" ] && MANIFESTDATA=$STRIPDATA
|
||||||
|
fi
|
||||||
BRANCHLIST=$(printf "%s\n" "$MANIFESTDATA" | (grep -E '^[0-9a-f]{40}' || :))
|
BRANCHLIST=$(printf "%s\n" "$MANIFESTDATA" | (grep -E '^[0-9a-f]{40}' || :))
|
||||||
PACKLIST=$(printf "%s\n" "$MANIFESTDATA" | (grep '^pack ' || :))
|
PACKLIST=$(printf "%s\n" "$MANIFESTDATA" | (grep '^pack ' || :))
|
||||||
}
|
}
|
||||||
|
|
@ -239,7 +274,6 @@ do_push()
|
||||||
# The manifest is encrypted.
|
# The manifest is encrypted.
|
||||||
local REMOTEHAS
|
local REMOTEHAS
|
||||||
local REMOTEWANT
|
local REMOTEWANT
|
||||||
local MANIFESTDATA
|
|
||||||
local prefix_
|
local prefix_
|
||||||
local suffix_
|
local suffix_
|
||||||
ensure_connected
|
ensure_connected
|
||||||
|
|
@ -287,8 +321,9 @@ do_push()
|
||||||
PUT "$URL" "$PACKID" < "$TMPPACK_ENCRYPTED"
|
PUT "$URL" "$PACKID" < "$TMPPACK_ENCRYPTED"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
MANIFESTDATA=$(printf "%s\n%s\n" "$BRANCHLIST" "$PACKLIST")
|
# Put new manifest
|
||||||
printf "%s\n" "$MANIFESTDATA" | ENCRYPT | PUT "$URL" "manifest"
|
printf "%s\n%s\n" "$BRANCHLIST" "$PACKLIST" | \
|
||||||
|
CLEARSIGN | ENCRYPT | PUT "$URL" "manifest"
|
||||||
|
|
||||||
# ok all updates (not deletes)
|
# ok all updates (not deletes)
|
||||||
printf "%s\n" "$1" | while read LINE
|
printf "%s\n" "$1" | while read LINE
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue