87 lines
2.8 KiB
Text
87 lines
2.8 KiB
Text
# git-remote-gcrypt
|
|
# Copyright 2013 by Ulrik Sverdrup
|
|
# License: GPLv2 or any later version, see http://www.gnu.org/licenses/
|
|
# Use GnuPG to use encrypted git remotes
|
|
|
|
WARNING: Repository format MAY STILL change, incompatibly
|
|
|
|
INTRODUCTION
|
|
|
|
Install as `git-remote-gcrypt` in $PATH
|
|
|
|
Supports local, ssh:// and sftp:// remotes at the moment,
|
|
as well as the special gitception://<giturl> remote type::
|
|
|
|
git remote add gcryptrepo gcrypt::ssh://hostname.com:MyNewRepo
|
|
( or maybe:
|
|
git remote add gcryptrepo gcrypt::gitception://git://host.com/repo.git
|
|
)
|
|
git push --all gcryptrepo
|
|
|
|
DESIGN GOALS
|
|
|
|
+ Confidential, authenticated git storage and collaboration on any
|
|
untrusted file host or service. The only information we (by necessity)
|
|
leak is the approximate size and timing of updates.
|
|
PLEASE help me evaluate how well we meet this design goal!
|
|
|
|
CONFIGURATION
|
|
|
|
+ You must set up a small gpg keyring for the repository::
|
|
|
|
gpg --export KEYID1 > <path-to-keyring>
|
|
git config gcrypt.keyring <path-to-keyring>
|
|
|
|
New repositories will be set up to allow access for the keys in
|
|
`gcrypt.keyring`. The keyring is used to verify the authenticity of the
|
|
repository when it is read or written to.
|
|
|
|
+ NOTE: We use the user's gnupg configuration for `cipher-algo` and so on!
|
|
Configure your gnupg to use strong crypto -- see `man gpg`.
|
|
|
|
|
|
REPOSITORY FORMAT
|
|
|
|
+ The manifest is signed+encrypted using `gpg -se` (with hidden recipients)
|
|
and stored on the remote.
|
|
+ The manifest contains the list of branches and packfiles.
|
|
|
|
$ cd MyCryptedRemote
|
|
$ ls
|
|
-rw-- 11K 00ef27cc2c5b76365e1a46479ed7429e16572c543cdff0a8bf745c7c
|
|
-rw-- 41K b934d8d6c0f48e71b9d7a4d5ea56f024a9bed4f6f2c6f8e688695bee
|
|
-rw-- 577 manifest
|
|
|
|
$ gpg -d manifest
|
|
T+pCUr/1FxbBC93ABIiIgG36EgqaxvgdNYjdmRSueGkgGETc4Qs7di+/yIsq2R5GysiqFaR0 \
|
|
bGSWf9omsoAH84hmED/kR/ZQiOGT/vg2Pg7CGI0xzdlW9GQjeFBAo4vsDDDBxrn5L7F9E532 \
|
|
LOnnPLSIZD7BpmyY/oZiXoP5Vlw=
|
|
b4a4a39365d19282810c19d0f3f24d04dd2d179f refs/tags/something
|
|
1d323ddadf4cf1d80fced447e637ab3766b168b7 refs/heads/master
|
|
pack :SHA224:00ef27cc2c5b76365e1a46479ed7429e16572c543cdff0a8bf745c7c
|
|
pack :SHA224:b934d8d6c0f48e71b9d7a4d5ea56f024a9bed4f6f2c6f8e688695bee
|
|
|
|
|
|
+ Protocol sketch
|
|
|
|
EncSign(X) is sign+encrypting to a PGP key holder
|
|
Encrypt(K,X) is symmetric encryption
|
|
|
|
K: master key, generated once, 128 bytes
|
|
B: branch list
|
|
L: list of packfiles and hashes
|
|
|
|
Store Manifest as EncSign(K || B || L)
|
|
Each packfile P is stored as P' = Encrypt(K,P) and named SHA224(P')
|
|
L is the list of names of P'.
|
|
|
|
|
|
To read the repository
|
|
|
|
decrypt+verify Manifest using private key -> (K, B, L)
|
|
for each packfile P' in L:
|
|
verify P' matches its hash
|
|
decrypt P' using K -> P -> open P with git
|
|
|
|
Only packs mentioned in L are downloaded.
|
|
|