From: Junio C Hamano <gitster@pobox•com>
To: Sitaram Chamarty <sitaramc@gmail•com>
Cc: "git\@vger.kernel.org" <git@vger•kernel.org>
Subject: Re: saving "git push --signed" certificate blobs
Date: Tue, 30 Dec 2014 09:48:45 -0800 [thread overview]
Message-ID: <xmqqiogtrptu.fsf@gitster.dls.corp.google.com> (raw)
In-Reply-To: <54A22586.70001@gmail.com> (Sitaram Chamarty's message of "Tue, 30 Dec 2014 09:39:42 +0530")
Sitaram Chamarty <sitaramc@gmail•com> writes:
> Just wanted to say there's a little script at [1] that saves the certificate
> blobs generated on the server side by "git push --signed".
>
> Quoting from the source:
>
> # Collects the cert blob on push and saves it, then, if a certain number of
> # signed pushes have been seen, processes all the "saved" blobs in one go,
> # adding them to the special ref 'refs/push-certs'. This is done in a way
> # that allows searching for all the certs pertaining to one specific branch
> # (thanks to Junio Hamano for this idea plus general brainstorming).
>
> Note that although I posted it in the gitolite ML, this has very little to do
> with gitolite. Any git server can use it, with only one very minor change [2]
> needed.
>
> sitaram
>
> [1]: https://groups.google.com/forum/#!topic/gitolite/7cSrU6JorEY
>
> [2]: Either set the GL_OPTIONS_GPC_PENDING environment variable by reading its
> value from 'git config', or replace the only line that uses that variable, with
> some other "test".
Nicely done.
We'd need to give you a tool to make it easy to create a "validated
chain of certificates" out of
$ git log refs/push-certs -- refs/heads/master
to make the history this script creates truly useful, but I think it
is a very good start.
I can see that you tried to make the log output "human readable" by
reformatting $cf, I am not sure if it gives us much value. I would
have expected that you would just use the blob contents for the log
message as-is, so that
$ git log --pretty=raw refs/push-certs -- refs/heads/master |
validate-cert-chain
can just work on blobs (shown in the "log" output) without having to
extract the blobs by doing something like
$ git rev-list refs/push-certs -- refs/heads/master |
while read commit
do
git cat-file blob $commit:refs/heads/master |
validate-cert
done
By the way, you seem to like "cat" too much, though. You don't have
to cat a single file into a pipeline.
Thanks.
next prev parent reply other threads:[~2014-12-30 17:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <54A10ED1.9020704@gmail.com>
2014-12-30 4:09 ` saving "git push --signed" certificate blobs Sitaram Chamarty
2014-12-30 17:48 ` Junio C Hamano [this message]
2015-01-01 1:59 ` Sitaram Chamarty
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqiogtrptu.fsf@gitster.dls.corp.google.com \
--to=gitster@pobox$(echo .)com \
--cc=git@vger$(echo .)kernel.org \
--cc=sitaramc@gmail$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox