mirror of
https://github.com/git/git.git
synced 2024-11-15 05:33:04 +01:00
5732373daa
When operating with the stateless RPC mode, we will receive a nonce issued by another instance of us that advertised our capability and refs some time ago. Update the logic to check received nonce to detect this case, compute how much time has passed since the nonce was issued and report the status with a new environment variable GIT_PUSH_CERT_NONCE_SLOP to the hooks. GIT_PUSH_CERT_NONCE_STATUS will report "SLOP" in such a case. The hooks are free to decide how large a slop it is willing to accept. Strictly speaking, the "nonce" is not really a "nonce" anymore in the stateless RPC mode, as it will happily take any "nonce" issued by it (which is protected by HMAC and its secret key) as long as it is fresh enough. The degree of this security degradation, relative to the native protocol, is about the same as the "we make sure that the 'git push' decided to update our refs with new objects based on the freshest observation of our refs by making sure the values they claim the original value of the refs they ask us to update exactly match the current state" security is loosened to accomodate the stateless RPC mode in the existing code without this series, so there is no need for those who are already using smart HTTP to push to their repositories to be alarmed any more than they already are. In addition, the server operator can set receive.certnonceslop configuration variable to specify how stale a nonce can be (in seconds). When this variable is set, and if the nonce received in the certificate that passes the HMAC check was less than that many seconds old, hooks are given "OK" in GIT_PUSH_CERT_NONCE_STATUS (instead of "SLOP") and the received nonce value is given in GIT_PUSH_CERT_NONCE, which makes it easier for a simple-minded hook to check if the certificate we received is recent enough. Signed-off-by: Junio C Hamano <gitster@pobox.com>
220 lines
7.8 KiB
Text
220 lines
7.8 KiB
Text
git-receive-pack(1)
|
|
===================
|
|
|
|
NAME
|
|
----
|
|
git-receive-pack - Receive what is pushed into the repository
|
|
|
|
|
|
SYNOPSIS
|
|
--------
|
|
[verse]
|
|
'git-receive-pack' <directory>
|
|
|
|
DESCRIPTION
|
|
-----------
|
|
Invoked by 'git send-pack' and updates the repository with the
|
|
information fed from the remote end.
|
|
|
|
This command is usually not invoked directly by the end user.
|
|
The UI for the protocol is on the 'git send-pack' side, and the
|
|
program pair is meant to be used to push updates to remote
|
|
repository. For pull operations, see linkgit:git-fetch-pack[1].
|
|
|
|
The command allows for creation and fast-forwarding of sha1 refs
|
|
(heads/tags) on the remote end (strictly speaking, it is the
|
|
local end 'git-receive-pack' runs, but to the user who is sitting at
|
|
the send-pack end, it is updating the remote. Confused?)
|
|
|
|
There are other real-world examples of using update and
|
|
post-update hooks found in the Documentation/howto directory.
|
|
|
|
'git-receive-pack' honours the receive.denyNonFastForwards config
|
|
option, which tells it if updates to a ref should be denied if they
|
|
are not fast-forwards.
|
|
|
|
OPTIONS
|
|
-------
|
|
<directory>::
|
|
The repository to sync into.
|
|
|
|
pre-receive Hook
|
|
----------------
|
|
Before any ref is updated, if $GIT_DIR/hooks/pre-receive file exists
|
|
and is executable, it will be invoked once with no parameters. The
|
|
standard input of the hook will be one line per ref to be updated:
|
|
|
|
sha1-old SP sha1-new SP refname LF
|
|
|
|
The refname value is relative to $GIT_DIR; e.g. for the master
|
|
head this is "refs/heads/master". The two sha1 values before
|
|
each refname are the object names for the refname before and after
|
|
the update. Refs to be created will have sha1-old equal to 0\{40},
|
|
while refs to be deleted will have sha1-new equal to 0\{40}, otherwise
|
|
sha1-old and sha1-new should be valid objects in the repository.
|
|
|
|
When accepting a signed push (see linkgit:git-push[1]), the signed
|
|
push certificate is stored in a blob and an environment variable
|
|
`GIT_PUSH_CERT` can be consulted for its object name. See the
|
|
description of `post-receive` hook for an example. In addition, the
|
|
certificate is verified using GPG and the result is exported with
|
|
the following environment variables:
|
|
|
|
`GIT_PUSH_CERT_SIGNER`::
|
|
The name and the e-mail address of the owner of the key that
|
|
signed the push certificate.
|
|
|
|
`GIT_PUSH_CERT_KEY`::
|
|
The GPG key ID of the key that signed the push certificate.
|
|
|
|
`GIT_PUSH_CERT_STATUS`::
|
|
The status of GPG verification of the push certificate,
|
|
using the same mnemonic as used in `%G?` format of `git log`
|
|
family of commands (see linkgit:git-log[1]).
|
|
|
|
`GIT_PUSH_CERT_NONCE`::
|
|
The nonce string the process asked the signer to include
|
|
in the push certificate. If this does not match the value
|
|
recorded on the "nonce" header in the push certificate, it
|
|
may indicate that the certificate is a valid one that is
|
|
being replayed from a separate "git push" session.
|
|
|
|
`GIT_PUSH_CERT_NONCE_STATUS`::
|
|
`UNSOLICITED`;;
|
|
"git push --signed" sent a nonce when we did not ask it to
|
|
send one.
|
|
`MISSING`;;
|
|
"git push --signed" did not send any nonce header.
|
|
`BAD`;;
|
|
"git push --signed" sent a bogus nonce.
|
|
`OK`;;
|
|
"git push --signed" sent the nonce we asked it to send.
|
|
`SLOP`;;
|
|
"git push --signed" sent a nonce different from what we
|
|
asked it to send now, but in a previous session. See
|
|
`GIT_PUSH_CERT_NONCE_SLOP` environment variable.
|
|
|
|
`GIT_PUSH_CERT_NONCE_SLOP`::
|
|
"git push --signed" sent a nonce different from what we
|
|
asked it to send now, but in a different session whose
|
|
starting time is different by this many seconds from the
|
|
current session. Only meaningful when
|
|
`GIT_PUSH_CERT_NONCE_STATUS` says `SLOP`.
|
|
Also read about `receive.certnonceslop` variable in
|
|
linkgit:git-config[1].
|
|
|
|
This hook is called before any refname is updated and before any
|
|
fast-forward checks are performed.
|
|
|
|
If the pre-receive hook exits with a non-zero exit status no updates
|
|
will be performed, and the update, post-receive and post-update
|
|
hooks will not be invoked either. This can be useful to quickly
|
|
bail out if the update is not to be supported.
|
|
|
|
update Hook
|
|
-----------
|
|
Before each ref is updated, if $GIT_DIR/hooks/update file exists
|
|
and is executable, it is invoked once per ref, with three parameters:
|
|
|
|
$GIT_DIR/hooks/update refname sha1-old sha1-new
|
|
|
|
The refname parameter is relative to $GIT_DIR; e.g. for the master
|
|
head this is "refs/heads/master". The two sha1 arguments are
|
|
the object names for the refname before and after the update.
|
|
Note that the hook is called before the refname is updated,
|
|
so either sha1-old is 0\{40} (meaning there is no such ref yet),
|
|
or it should match what is recorded in refname.
|
|
|
|
The hook should exit with non-zero status if it wants to disallow
|
|
updating the named ref. Otherwise it should exit with zero.
|
|
|
|
Successful execution (a zero exit status) of this hook does not
|
|
ensure the ref will actually be updated, it is only a prerequisite.
|
|
As such it is not a good idea to send notices (e.g. email) from
|
|
this hook. Consider using the post-receive hook instead.
|
|
|
|
post-receive Hook
|
|
-----------------
|
|
After all refs were updated (or attempted to be updated), if any
|
|
ref update was successful, and if $GIT_DIR/hooks/post-receive
|
|
file exists and is executable, it will be invoked once with no
|
|
parameters. The standard input of the hook will be one line
|
|
for each successfully updated ref:
|
|
|
|
sha1-old SP sha1-new SP refname LF
|
|
|
|
The refname value is relative to $GIT_DIR; e.g. for the master
|
|
head this is "refs/heads/master". The two sha1 values before
|
|
each refname are the object names for the refname before and after
|
|
the update. Refs that were created will have sha1-old equal to
|
|
0\{40}, while refs that were deleted will have sha1-new equal to
|
|
0\{40}, otherwise sha1-old and sha1-new should be valid objects in
|
|
the repository.
|
|
|
|
The `GIT_PUSH_CERT*` environment variables can be inspected, just as
|
|
in `pre-receive` hook, after accepting a signed push.
|
|
|
|
Using this hook, it is easy to generate mails describing the updates
|
|
to the repository. This example script sends one mail message per
|
|
ref listing the commits pushed to the repository, and logs the push
|
|
certificates of signed pushes with good signatures to a logger
|
|
service:
|
|
|
|
#!/bin/sh
|
|
# mail out commit update information.
|
|
while read oval nval ref
|
|
do
|
|
if expr "$oval" : '0*$' >/dev/null
|
|
then
|
|
echo "Created a new ref, with the following commits:"
|
|
git rev-list --pretty "$nval"
|
|
else
|
|
echo "New commits:"
|
|
git rev-list --pretty "$nval" "^$oval"
|
|
fi |
|
|
mail -s "Changes to ref $ref" commit-list@mydomain
|
|
done
|
|
# log signed push certificate, if any
|
|
if test -n "${GIT_PUSH_CERT-}" && test ${GIT_PUSH_CERT_STATUS} = G
|
|
then
|
|
(
|
|
echo expected nonce is ${GIT_PUSH_NONCE}
|
|
git cat-file blob ${GIT_PUSH_CERT}
|
|
) | mail -s "push certificate from $GIT_PUSH_CERT_SIGNER" push-log@mydomain
|
|
fi
|
|
exit 0
|
|
|
|
The exit code from this hook invocation is ignored, however a
|
|
non-zero exit code will generate an error message.
|
|
|
|
Note that it is possible for refname to not have sha1-new when this
|
|
hook runs. This can easily occur if another user modifies the ref
|
|
after it was updated by 'git-receive-pack', but before the hook was able
|
|
to evaluate it. It is recommended that hooks rely on sha1-new
|
|
rather than the current value of refname.
|
|
|
|
post-update Hook
|
|
----------------
|
|
After all other processing, if at least one ref was updated, and
|
|
if $GIT_DIR/hooks/post-update file exists and is executable, then
|
|
post-update will be called with the list of refs that have been updated.
|
|
This can be used to implement any repository wide cleanup tasks.
|
|
|
|
The exit code from this hook invocation is ignored; the only thing
|
|
left for 'git-receive-pack' to do at that point is to exit itself
|
|
anyway.
|
|
|
|
This hook can be used, for example, to run `git update-server-info`
|
|
if the repository is packed and is served via a dumb transport.
|
|
|
|
#!/bin/sh
|
|
exec git update-server-info
|
|
|
|
|
|
SEE ALSO
|
|
--------
|
|
linkgit:git-send-pack[1], linkgit:gitnamespaces[7]
|
|
|
|
GIT
|
|
---
|
|
Part of the linkgit:git[1] suite
|