From debbugs-submit-bounces@debbugs.gnu.org Sun Aug 07 02:07:50 2016 Received: (at 22883) by debbugs.gnu.org; 7 Aug 2016 06:07:51 +0000 Received: from localhost ([127.0.0.1]:58313 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bWHFW-0000x8-GV for submit@debbugs.gnu.org; Sun, 07 Aug 2016 02:07:50 -0400 Received: from savannah.gnu.org ([208.118.235.70]:44262 helo=frontend.savannah.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bWH1t-0000d5-Dm for 22883@debbugs.gnu.org; Sun, 07 Aug 2016 01:53:45 -0400 Received: by frontend.savannah.gnu.org (Postfix, from userid 33) id 0574985EA5; Sun, 7 Aug 2016 05:53:39 +0000 (UTC) To: Bob Proulx , Ludovic =?UTF-8?B?Q291cnTDqHM=?= , 22883@debbugs.gnu.org, savannah-help-public@gnu.org Subject: [sr #109104] Add Git 'update' hook for Guix repositories X-PHP-Originating-Script: 0:sendmail.php From: Mike Gerwitz X-Savane-Server: savannah.gnu.org:443 [208.118.235.70] MIME-Version: 1.0 Content-Type: text/plain;charset=UTF-8 X-Savane-Project: administration X-Savane-Tracker: support X-Savane-Item-ID: 109104 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 X-Apparently-From: 89.234.157.254 (Savane authenticated user mikegerwitz) Message-Id: <20160807-015339.sv88130.30875@savannah.gnu.org> References: <20160725-000945.sv15145.13702@savannah.gnu.org> <20160725-055142.sv744.4261@savannah.gnu.org> <20160725-055748.sv744.57487@savannah.gnu.org> <20160725-110023.sv15145.28291@savannah.gnu.org> In-Reply-To: <20160725-110023.sv15145.28291@savannah.gnu.org> Date: Sun, 7 Aug 2016 05:53:39 +0000 (UTC) X-Spam-Score: -1.2 (-) X-Debbugs-Envelope-To: 22883 X-Mailman-Approved-At: Sun, 07 Aug 2016 02:07:49 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.2 (-) Follow-up Comment #4, sr #109104 (project administration): Unfortunately, this hook can be easily defeated. Here's some example output from the current tip of master: $ git cat-file -p HEAD tree c65e675351fe76b2630df24eddcb2449774eb344 parent e87c7ec2de815f05d7a84e2792e2da700bb26a38 author Leo Famulari 1470169005 -0400 committer Leo Famulari 1470538536 -0400 gpgsig -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJXpqMoAAoJECZG+jC6yn8Ihn8P+wfUhS5HOL7181KC8ZRdTFC5 5XjavRq/08LJzO2mxer1r5oVcWYuZAvnPKZltO1vdIp0ncvU40c4nmaNpQiB/w6B 8slSkqBsoCVE7GEKHoAWju7Rwwlqw4fUSgDWw5JpJ/3S2PhRj+tvy8o/wCeBEwTL c90yivRmpKZcdcRgSPHqhHhMJ7lIJxbvHKlb30SPz9vdQTj13EUeeyyJQc/7lu7D kUiUu9MOjC3o8dPE8E7otMnD51xfj8SNvs5h7cZAMByS0Qk06RwK+O5POkBlXUMV lVxgPJsC7LfqJJ/VGLb5uOIoXMUCGV3mzdDXA+Pe+xvTTGOT+8rNsPl7kwxAGYqC vPVrY1dC6CzRX8/7etvb99UHf2nx0NbYRAvetZzh9j6WBbMqGBgHMndRh6i6Y7Fl BioG+J22sXCQjf3ydRvjd8cznlfvBCTqo9zSqeoG7Ha/qSh1pX16KAUxLi1YGzK6 I79iqOEvpoxwS/9Ym+GB+4rLTimqhtDKN7v3XaQudJ8t6hMlGi+pqjiLhNI8q2c9 dd3RthLu+Zom4duwnGo0BJEVC+CDLYGcdiwCKOpLaI9KtQbCv6useALPBk5RKPHr pE1Y7nTmBw7Rxl2GuaNOH9x5cHOuULfWW+HLm3JSwTjD4cpAxnFDP7qYINSo7XGR HGWK/43B5syf6FhZws8N =h+H0 -----END PGP SIGNATURE----- gnu: Add python-pythondialog. * gnu/packages/python.scm (python-pythondialog): New variable. (python2-pythondialog): Inherit from PYTHON-PYTHONDIALOG. Co-authored-by: Vincent Legoll The hook currently greps for `^gpgsig '. It will indeed find a GPG signature if it exists, but to circumvent it, an attacker need only put `gpgsig' in the commit message at column 0---the commit messages aren't indented in the output. You can replace the entire loop in the hook with this: git log --pretty='%GK %h %s' "$rev_old^..$rev_new" \ | awk '/^ / { e=1 print "error: missing signature:" $0 > "/dev/stderr" } END { exit e }' If the commit is not signed, then `%GK` (GPG key id) will yield an empty string. Here's some example output (run with HEAD~15..): error: missing signature: 7ccb874 gnu: zsh: Move to shells.scm. error: missing signature: 7977d76 Update NEWS. _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/