sofistes.net

sofistes.net

About sofistes.net

This blog is a way for me to collect interesting stuff into one place. I'm not planning on making this a confession booth of any sort, just post random interesting web sites if I feel the need to comment on them (otherwise I just add them to my del.icio.us page) and comment on other stuff that is worth it (books, TV programs, games, CD's etc).

Knowing myself I doubt I will be updating this too often but we'll see...

Hidden secrets of git

All sorts of geeky stuffPosted by Marko Poutiainen Thursday, May 14 2009 14:58:25
This caused a bit of a headache. This is the scenario:

In repo 1:
- Edit some stuff,
- git commit,
- git tag -a,
- git push --tags.

In repo 2:
- git pull --tags,

-> The changes from the edit are visible.

This definitely isn't clear from the documentation:

--cut--

--tags

All refs under $GIT_DIR/refs/tags are pushed, in addition to refspecs explicitly listed on the command line.

--cut--

But very cool, neverthless. This means it's not possible to accidentally only push the tags and not the changes associated with them.

  • Comments(0)//www.sofistes.net/#post30

Using signed tags with git

All sorts of geeky stuffPosted by Marko Poutiainen Thursday, May 07 2009 17:09:27
Another thing I tried out with git was signing tags with gpg keys. Things would have been a lot easier if I knew more of git or gpg - I'm not yet too familiar with either. Obviously I have used encryption with emails before, but since this has been with Outlook, the whole thing works a little bit differently (the interface for key ring handling is in Outlook).

So here's how you can do it:

1. The user creates a gpg key with gpg --gen-key.
2. Then he exports the public key with gpg --armor --export user@email.com > mypk
3. He sends the public key file to you for you to save it in the git user's keyring (assuming you are using gitosis). You then import it with gpg --import mypk. It might also be a good idea to sign this key with gpg --edit-key user@email.com.
4. Next you need to add the verification somewhere in the git hooks, pre-receive might be the best bet. Checking the validity is done with git tag -v "tag_id". The code could be something like (I haven't done this yet myself):

#!/bin/perl
while(<>)
{
m/(.+) (.+) refs\/tags\/(.+)/;
my $ret = open(FH, "-|", "git-tag", "-v", $3);
while(<FH>)
{
# Check that output shows the signature is good
}

And hey presto! You have just made sure that your system only accepts tags signed by people you have accepted.

  • Comments(0)//www.sofistes.net/#post28

Improved security with git and gitosis

All sorts of geeky stuffPosted by Marko Poutiainen Thursday, May 07 2009 16:44:26
So, I started working on Linux and one of my first tasks has been to learn to use git, the open source version control system used by, among others, Linus Torvalds. I'm familiar with a number of SCM systems but git has quite a lot of new stuff for me. I also installed gitosis for added security. Gitosis removes the need to create user accounts for everyone who needs to read or write to the repository, which improves security a lot. Setting it up had it's small quirks which meant I couldn't use the otherwise excellent guides to the point. But I did get there eventually.

Anyways, what I wanted to do was to check that the user is who he says. By simply saying "git config user.email=whoever@whatever.com && git config user.name=Mr. Fake" a user can hide his identity - in practice allowing him to add what he wants to the repository as long as he has write access. Also, there is no extra security for anything else. For instance if you have conditional hooks in your git repository, you can't just the user id for access rights.

The solution is to use gitosis and check that the user really is who he says he is. I already asked this question in stackoverflow and then ended up solving the problem myself. The solution requires fixing gitosis, reinstalling it and the adding a pre-receive hook to the git repository. Not overly complicated, but hopefully someone could add that fix to the "official" gitosis code as well.

This solution verifies that the user email address used to create the ssh key for gitosis matches the address the user is using which should be pretty secure. This way the repository history is correct and the culprits can always be tracked down.

  • Comments(0)//www.sofistes.net/#post27