jigen/git-remote-gcrypt
1
0
Fork 0
Code Issues 1 Pull requests Releases Wiki Activity

Update README for remote.<name>.gcrypt-participants and default simple mode

Browse source
This commit is contained in:
root 2013-02-14 00:00:00 +00:00
parent 4f04d2d43b
commit 789cb4d7c3
1 changed files with 35 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
README.rst
View file

@ -13,7 +13,7 @@ Description
=========== ===========
Remote helper programs are invoked by git to handle network transport. Remote helper programs are invoked by git to handle network transport.
This helper handles gcrypt:: URLs that will access a remote repository This helper handles `gcrypt::` URLs that will access a remote repository
encrypted with GPG, using our custom format. encrypted with GPG, using our custom format.
Supported locations are `local`, `rsync://` and `sftp://`, where Supported locations are `local`, `rsync://` and `sftp://`, where
@ -29,13 +29,7 @@ bridged over arbitrary git transport.
Quickstart Quickstart
.......... ..........
* Install `git-remote-gcrypt` by running the supplied `install.sh` script. * Install ``git-remote-gcrypt`` by running the supplied ``install.sh`` script.
* Configure the list of participant gpg keys:
::
git config --global gcrypt.participants YOURKEYID
* Create an encrypted remote by pushing to it: * Create an encrypted remote by pushing to it:
@ -49,9 +43,9 @@ Quickstart
> To gcrypt::[...] > To gcrypt::[...]
> * [new branch] master -> master > * [new branch] master -> master
(The generated Repository id is not secret, it only exists to ensure (The generated Repository ID is not secret, it only exists to ensure
that two repositories signed by the same user can be distinguished. that two repositories signed by the same user can be distinguished.
You will see a warning if the remote repository ID changes, which will You will see a warning if the remote Repository ID changes, which will
only happen if the remote was re-created or switched out.) only happen if the remote was re-created or switched out.)
Design Goals Design Goals
@ -65,13 +59,26 @@ evaluate how well we meet this design goal!
Configuration Configuration
============= =============
*gcrypt.participants* The following ``git-config(1)`` variables are supported:
``remote.<name>.gcrypt-participants``
..
``gcrypt.participants``
Space-separated list of GPG key identifiers. The remote is Space-separated list of GPG key identifiers. The remote is
encrypted to these participants and only signatures from these encrypted to these participants and only signatures from these
are accepted. ``gpg -k`` lists all public keys you know. are accepted. ``gpg -k`` lists all public keys you know.
You should set *user.signingkey* if your default signing key is not part When not set we encrypt to your default key and accept any valid
of the participant list. signature. This behavior can also be requested explicitly by
setting participants to ``simple``.
The ``gcrypt-participants`` setting on the remote takes precedence
over the repository variable ``gcrypt.participants``.
``user.signingkey``
(From regular git configuration) The key to use for signing.
You should set ``user.signingkey`` if your default signing key is
not part of the participant list.
The encryption of the manifest is updated for each push. The pusher must The encryption of the manifest is updated for each push. The pusher must
have the public keys of all collaborators. You can commit a keyring to have the public keys of all collaborators. You can commit a keyring to
@ -80,6 +87,9 @@ the repo, further key management features do not yet exist.
GPG configuration applies to public-key encryption, symmetric GPG configuration applies to public-key encryption, symmetric
encryption, and signing. See `man gpg` for more information. encryption, and signing. See `man gpg` for more information.
Environment Variables
=====================
*GCRYPT_FULL_REPACK* *GCRYPT_FULL_REPACK*
This environment variable forces full repack when pushing. This environment variable forces full repack when pushing.
@ -115,7 +125,7 @@ Repository Format
B: branch list B: branch list
L: list of the hash (Hi) and key (Ki) for each packfile L: list of the hash (Hi) and key (Ki) for each packfile
R: repository id R: Repository ID
Store Manifest as EncSign(B || L || R) Store Manifest as EncSign(B || L || R)
Store each packfile P as P' = Encrypt(Ki, P) in filename Hi Store each packfile P as P' = Encrypt(Ki, P) in filename Hi
@ -124,7 +134,7 @@ Repository Format
To read the repository To read the repository
decrypt+verify Manifest using private key -> (B, L, R) decrypt+verify Manifest using private key -> (B, L, R)
warn if R does not match saved repository id for this remote warn if R does not match saved Repository ID for this remote
for Hi, Ki in L: for Hi, Ki in L:
download file Hi from the server -> P' download file Hi from the server -> P'
verify Hash(P') matches Hi verify Hash(P') matches Hi
@ -147,26 +157,20 @@ Manifest file
Each item extends until newline, and matches one of the following forms: Each item extends until newline, and matches one of the following forms:
`[0-9a-f]{40} <gitref>` ``[0-9a-f]{40} <gitref>``
SHA-1 and its git ref SHA-1 and its git ref
`pack :<hashtype>:<hash> <key>` ``pack :<hashtype>:<hash> <key>``
Packfile hash (`Hi`) and corresponding symmetric key (`Ki`). Packfile hash (`Hi`) and corresponding symmetric key (`Ki`).
`keep :<hashtype>:<hash> <generation>` ``keep :<hashtype>:<hash> <generation>``
Packfile hash and its repack generation Packfile hash and its repack generation
`repo :<hashtype>:<hash>` ``repo :<hashtype>:<hash>``
The repository id The repository id
`extn <name> ...` ``extn <name> ...``
Extension field, preserved but unused. Extension field, preserved but unused.
Yet to be Implemented
.....................
+ Some kind of simple keyring management
See Also See Also
======== ========