[0/5] Support for commits signed by multiple algorithms

Message ID	20210111003740.1319996-1-sandals@crustytoothpaste.net (mailing list archive)
Headers	show Return-Path: <git-owner@kernel.org> From: "brian m. carlson" <sandals@crustytoothpaste.net> To: <git@vger.kernel.org> Cc: Eric Sunshine <sunshine@sunshineco.com>, Denton Liu <liu.denton@gmail.com>, Jeff King <peff@peff.net> Subject: [PATCH 0/5] Support for commits signed by multiple algorithms Date: Mon, 11 Jan 2021 00:37:33 +0000 Message-Id: <20210111003740.1319996-1-sandals@crustytoothpaste.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Support for commits signed by multiple algorithms \| expand [0/5] Support for commits signed by multiple algorithms [1/5] commit: ignore additional signatures when parsing signed commits [2/5] gpg-interface: improve interface for parsing tags [3/5] commit: allow parsing arbitrary buffers with headers [4/5] ref-filter: hoist signature parsing [5/6] fixup! commit: ignore additional signatures when parsing signed commits [6/6] gpg-interface: remove other signature headers before verifying

Message ID

20210111003740.1319996-1-sandals@crustytoothpaste.net (mailing list archive)

Headers

From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: <git@vger.kernel.org>
Cc: Eric Sunshine <sunshine@sunshineco.com>,
        Denton Liu <liu.denton@gmail.com>, Jeff King <peff@peff.net>
Subject: [PATCH 0/5] Support for commits signed by multiple algorithms
Date: Mon, 11 Jan 2021 00:37:33 +0000
Message-Id: <20210111003740.1319996-1-sandals@crustytoothpaste.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Support for commits signed by multiple algorithms | expand

Message

brian m. carlson Jan. 11, 2021, 12:37 a.m. UTC

This series introduces support for verifying commits and tags signed by
multiple algorithms.

Originally, we had planned for SHA-256 tags to stuff the signature in a
header instead of using a trailing signature, and a patch to do that was
sent out in part 1/3.  Unfortunately, for whatever reason, that patch
didn't make it into the master branch, and so we use trailing signatures
there.

We can't change this now, because otherwise it would be ambiguous
whether the trailing signature on a SHA-256 object was for the SHA-256
contents or whether the contents were a rewritten SHA-1 object with no
SHA-256 signature at all.  To do the next best thing, let's use the
trailing signature for the preferred hash algorithm and use a header for
the other variant.  This permits round-tripping, but has the downside
that tags signed with multiple algorithms can't be verified with older
versions of Git.  However, signatures created with older versions of Git
continue to be accepted.

For commits, let's accept a commit that has two signatures.  We
previously created the commits correctly but didn't strip the extra
header off when verifying, so our verification indicated the signature
was bad.

Both these situations allow for signing commits and tags that can be
round-tripped through both SHA-1 and SHA-256.  We verify only the
signature using the current hash algorithm, since we currently don't
rewrite objects.

brian m. carlson (5):
  commit: ignore additional signatures when parsing signed commits
  gpg-interface: improve interface for parsing tags
  commit: allow parsing arbitrary buffers with headers
  ref-filter: hoist signature parsing
  gpg-interface: remove other signature headers before verifying

 builtin/receive-pack.c   |  4 +-
 builtin/tag.c            | 16 ++++++--
 commit.c                 | 82 +++++++++++++++++++++++++++-------------
 commit.h                 | 12 +++++-
 fmt-merge-msg.c          |  8 ++--
 gpg-interface.c          | 15 +++++++-
 gpg-interface.h          |  9 ++++-
 log-tree.c               | 15 ++++----
 ref-filter.c             | 23 +++++++----
 t/t7004-tag.sh           | 25 ++++++++++++
 t/t7510-signed-commit.sh | 43 ++++++++++++++++++++-
 tag.c                    | 15 ++++----
 12 files changed, 206 insertions(+), 61 deletions(-)