Re: [git patches] libata updates, GPG signed (but see admin notes)

[git patches] libata updates, GPG signed (but see admin notes) · Jeff Garzik <hidden> · 2011-10-26
Re: [git patches] libata updates, GPG signed (but see admin notes) · James Bottomley <James.Bottomley@HansenPartnership.com> · 2011-10-30
Re: [git patches] libata updates, GPG signed (but see admin notes) · Linus Torvalds <torvalds@linux-foundation.org> · 2011-10-30
Re: [git patches] libata updates, GPG signed (but see admin notes) · James Bottomley <James.Bottomley@HansenPartnership.com> · 2011-10-31
Re: [git patches] libata updates, GPG signed (but see admin notes) · Linus Torvalds <torvalds@linux-foundation.org> · 2011-10-31
Re: [git patches] libata updates, GPG signed (but see admin notes) · Ingo Molnar <hidden> · 2011-10-31
Re: [git patches] libata updates, GPG signed (but see admin notes) · "H. Peter Anvin" <hpa@zytor.com> · 2011-10-31
Re: [git patches] libata updates, GPG signed (but see admin notes) · Linus Torvalds <torvalds@linux-foundation.org> · 2011-10-31
Re: [git patches] libata updates, GPG signed (but see admin notes) · "H. Peter Anvin" <hpa@zytor.com> · 2011-10-31
Re: [git patches] libata updates, GPG signed (but see admin notes) · Linus Torvalds <torvalds@linux-foundation.org> · 2011-10-31
Re: [git patches] libata updates, GPG signed (but see admin notes) · <hidden> · 2011-11-01
Re: [git patches] libata updates, GPG signed (but see admin notes) · "H. Peter Anvin" <hpa@zytor.com> · 2011-11-01
Re: [git patches] libata updates, GPG signed (but see admin notes) · Linus Torvalds <torvalds@linux-foundation.org> · 2011-11-01
Re: [git patches] libata updates, GPG signed (but see admin notes) · "hpanvin@gmail.com" <hpa@zytor.com> · 2011-11-01
Re: [git patches] libata updates, GPG signed (but see admin notes) · James Bottomley <James.Bottomley@HansenPartnership.com> · 2011-11-01
Re: [git patches] libata updates, GPG signed (but see admin notes) · Henrique de Moraes Holschuh <hmh@hmh.eng.br> · 2011-11-01
Re: [git patches] libata updates, GPG signed (but see admin notes) · Tony Luck <hidden> · 2011-11-01
Re: [git patches] libata updates, GPG signed (but see admin notes) · Linus Torvalds <torvalds@linux-foundation.org> · 2011-11-01
Re: [git patches] libata updates, GPG signed (but see admin notes) · Felipe Contreras <hidden> · 2011-11-12
Re: [git patches] libata updates, GPG signed (but see admin notes) · <hidden> · 2011-11-01
Re: [git patches] libata updates, GPG signed (but see admin notes) · Theodore Tso <tytso@MIT.EDU> · 2011-11-01
Re: [git patches] libata updates, GPG signed (but see admin notes) · Linus Torvalds <torvalds@linux-foundation.org> · 2011-11-01
Re: [git patches] libata updates, GPG signed (but see admin notes) · <hidden> · 2011-11-01

From: Ingo Molnar <hidden>
Date: 2011-10-31 08:42:35
Also in: git, lkml

* Linus Torvalds [off-list ref] wrote:

That said, even the "BEGIN PGP SIGNED MESSAGE" things are a massive 
pain in the butt. We need to automate this some sane way, both for 
the sender and for the recipient.

The most practical form would be if Git supported such oneliner pull 
requests:

 git pull git://foo.com bar.branch                           \
  --pull-sha1 0acf00014bcfd71090c3b0d43c98e970108064e4       \
  --gpg-by: "Ingo Molnar [off-list ref]"                 \
  --gpg-sig: 8a6f134afd1d212fe21345

maintainers could just paste them into a shell and it would abort if 
it's not trusted. The maintainer verifies the visible, 'Ingo Molnar' 
bit. The 8a6f134afd1d212fe21345 is a signed-by-Ingo-Molnar version of 
this content:

    git://foo.com bar.branch 0acf00014bcfd71090c3b0d43c98e970108064e4

And Git would verify that what ends up being pulled is indeed 
0acf00014bcfd and also verifies that it was signed by me.

[ If we are extra diligent/paranoid then beyond the sha1 we might 
  even GPG sign the shortlog, or even the full raw log of all commits 
  leading to the sha1: this introduces some Git shortlog and patch 
  formatting version dependency though.

  Git could also double check foo.com's DNS coherency, or check it 
  against a known-trusted whitelist of domain names specified in the 
  maintainer's .gitconfig, as an extra layer. ]

Doing it in this form would remove all the mail formatting madness - 
one could paste such a pull request into a shell straight away, from 
HTML email, from text email, from MIME email, etc.

In fact i would trust such a Git based solution far more than any 
opaque, invisible tool that claims to have checked a signature with 
cooperation of my mail client (ha!).

The only somewhat non-obvious bit is that Git should be *very* 
careful about its key ID and signature parsing strategy, to protect 
against social engineering attacks.

For example neither this:

  --gpg-by: "Ingo Molnar [off-list ref]"

nor this:

  --pgp-by: "Ingo Molnar [off-list ref]"

malicious pull request should slip through in any fashion:

 - Git should only use keys that are in your ring of trust - not pull 
   keys from the public keyring automatically and just check 
   coherency of the pull request or such. [I'm sure people will be 
   tempted to have such a feature - but that temptation should be 
   resisted.]

 - Git should abort the moment it sees an unknown option

Thanks,

	Ingo

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help