Re: [PATCH] Add a sample hook which saves push certs as notes
Todd Zullingerwrites: > (I also noticed the tests which use $GIT_PUSH_CERT, like t5534, use > 'cat-file blob ...' rather than 'cat-file -p ...'. I don't know if > that's much safer/better than letting cat-file guess the object type > in the hook. The '-p' option is meant for human consumption and we promise that the output from it _will_ change if it makes sense at the UI level. In a script like this, you do care about the exact byte sequence. So that is a more important reason why you should say "blob" not "-p". >> +# Verify that the ref update matches that in push certificate. >> +if [[ $push_cert == *$oval" "$nval" "$ref* ]]; then I am not sure what this expression is trying to do in the first place. The contents of the push certificate blob may contain these three values, but has a lot more than that. A post-receive is run after all the receive processing is done, so its failing cannot abort the transfer. I wonder how an almost simultaneous push to a same ref, that would not fail normally without this new hook script, would behave. One receive updates the tip from A to B and then starts running this script, while the other receive updates the tip from B to C and then starts running another copy of the script. They both wants to update the notes database but there can be only one winner in the race for its tip. What happens then? Don't we need to be running a script like this from a hook mechanism that runs under a lock or something?
Re: [PATCH] Add a sample hook which saves push certs as notes
Hi Shikher, I'm not familiar with push certs, but I did notice some general issues in the sample hook. I hope they're helpful. Shikher Verma wrote: index 0..b4366e43f --- /dev/null +++ b/templates/hooks--post-receive.sample +#!/bin/sh ... +if test -z GIT_PUSH_CERT ; then +exit 0 +fi The $ is missing from GIT_PUSH_CERT. test -z GIT_PUSH_CERT will always be false. :) The variable should also be quoted. Not all sh implementations accept a missing argument to test -z, as bash does. More minor, Documentation/CodingGuidelines suggests placing 'then' on a new line: if test -z "$GIT_PUSH_CERT" then exit 0 fi (There is plenty of code that doesn't follow that, so I don't know how strong that preference is.) This could also be written as: test -z "$GIT_PUSH_CERT" && exit 0 I don't know if there's any general preference to shorten it in git's code or not. +push_cert=$(git cat-file -p $GIT_PUSH_CERT) Very minor: there's an extra space before the variable here. (I also noticed the tests which use $GIT_PUSH_CERT, like t5534, use 'cat-file blob ...' rather than 'cat-file -p ...'. I don't know if that's much safer/better than letting cat-file guess the object type in the hook. I have no idea if there's a chance that "$GIT_PUSH_CERT" has some unexpected, non-blob object type.) +while read oval nval ref +do + # Verify that the ref update matches that in push certificate. + if [[ $push_cert == *$oval" "$nval" "$ref* ]]; then [[ isn't portable across all the sh implementations git strives to support, as far as I know. The minor point about 'then' on new line is applicable here too. It would also better match the outer 'while' loop. + # add the push cert as note (namespaced pushcerts) to nval. + git notes --ref=pushcerts add -m "$push_cert" $nval -f + fi +done -- Todd ~~ Learn from the mistakes of others--you can never live long enough to make them all yourself. -- John Luther
[PATCH] Add a sample hook which saves push certs as notes
hooks--post-receive.sample: If push cert is present, add it as a git note to the top most commit of the updated ref. Signed-off-by: Shikher Verma--- templates/hooks--post-receive.sample | 38 1 file changed, 38 insertions(+) create mode 100755 templates/hooks--post-receive.sample diff --git a/templates/hooks--post-receive.sample b/templates/hooks--post-receive.sample new file mode 100755 index 0..b4366e43f --- /dev/null +++ b/templates/hooks--post-receive.sample @@ -0,0 +1,38 @@ +#!/bin/sh +# +# An example hook script to store push certificates as notes. +# +# To enable this hook, rename this file to "post-receive". +# +# The stdin of the hook will be one line for each updated ref: +# +# +# For each updated ref this script will : +# 1. Verify that the ref update matches that in push certificate. +# 2. add the push cert as note (namespace pushcerts) to . +# +# If this hook is enabled on the server then clients can prevent +# git metadata tampering, by using signed pushes and +# doing the following while fetching : +# 1. fetch the git notes (of namespace pushcerts) from server. +# $ git fetch origin refs/notes/pushcerts:refs/notes/pushcerts +# 2. Check that the fetched ref's top most commit has a note +# containing a push certificate. +# 3. Verify the validity of the push certificate in the note and +# check that the ref update matches that in push certificate. +# + +if test -z GIT_PUSH_CERT ; then +exit 0 +fi + +push_cert=$(git cat-file -p $GIT_PUSH_CERT) + +while read oval nval ref +do + # Verify that the ref update matches that in push certificate. + if [[ $push_cert == *$oval" "$nval" "$ref* ]]; then + # add the push cert as note (namespaced pushcerts) to nval. + git notes --ref=pushcerts add -m "$push_cert" $nval -f + fi +done -- 2.15.0