jigen/git-remote-gcrypt
1
0
Fork 0
Code Issues 1 Pull requests Releases Wiki Activity
No description
37 commits 1 branch 0 tags 151 KiB
Shell 100%
Find a file
root d96f17b02d When decrypting or verifying the master key, check input type 
We rely on gpg to exit with success, but we also check the status output
to verify that the expected action (decrypt with privkey or verify) was
performed.
2013-02-14 00:00:00 +00:00
git-remote-gcrypt When decrypting or verifying the master key, check input type 2013-02-14 00:00:00 +00:00
README README, describe new option gcrypt.keyring 2013-02-14 00:00:00 +00:00

README 

# git-remote-gcrypt
# Copyright 2013  by Ulrik Sverdrup
# License: GPLv2 or any later version, see http://www.gnu.org/licenses/
# Use GnuPG to use encrypted git remotes

WARNING: This is a proof of concept
WARNING: Repository format WILL change, incompatibly

INTRODUCTION

Install as `git-remote-gcrypt` in $PATH

Supports local, ssh:// and sftp:// remotes at the moment,
as well as the special gitception://<giturl> remote type::

    git config --global gcrypt.recipients KEYID1
    git remote add gcryptrepo gcrypt::ssh://hostname.com:MyNewRepo
     ( or maybe:
       git remote add gcryptrepo gcrypt::gitception://git://host.com/repo.git
     )
    git push --all gcryptrepo

CONFIGURATION

 * You must set up a small gpg keyring for the repository::

     gpg --export KEYID1 > <path-to-keyring>
     git config gcrypt.keyring <path-to-keyring>

   New repositories will be created to allow access for the keys in
   `gcrypt.keyring`. The keyring is used to verify the authenticity of the
   repository when it is read or written to.

 * Set `git config gcrypt.signmanifest 1` to also sign the manifest (the
   list of branches and packfiles) when pushing.
 * Set `git config gcrypt.requiresign 1` to fail and stop if no valid
   signature is found on the manifest.
 
 * NOTE: We use the users gnupg configuration for cipher-algo and so on!
         Configure your gnupg to use a strong crypto -- see `man gpg`.


REPOSITORY FORMAT

 * masterkey is first signed, then encrypted using `gpg -e` with hidden
   recipients
 * manifest contains the branches and the list of packfiles

    $ cd MyCryptedRemote
    $ ls 
    -rw-- 11K 00ef27cc2c5b76365e1a46479ed7429e16572c543cdff0a8bf745c7c
    -rw-- 41K b934d8d6c0f48e71b9d7a4d5ea56f024a9bed4f6f2c6f8e688695bee
    -rw-- 577 manifest
    -rw-- 495 masterkey
    
    $ gpg -d masterkey | gpg --passphrase-fd 0 -d manifest 
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512
    
    b4a4a39365d19282810c19d0f3f24d04dd2d179f refs/tags/something
    1d323ddadf4cf1d80fced447e637ab3766b168b7 refs/heads/master
    pack :SHA224:00ef27cc2c5b76365e1a46479ed7429e16572c543cdff0a8bf745c7c
    pack :SHA224:b934d8d6c0f48e71b9d7a4d5ea56f024a9bed4f6f2c6f8e688695bee
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.12 (GNU/Linux)
    
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXX
    -----END PGP SIGNATURE-----