inheritable annex.securehashesonly
* init: When annex.securehashesonly has been set with git-annex config, copy that value to the annex.securehashesonly git config. * config --set: As well as setting value in git-annex branch, set local gitconfig. This is needed especially for annex.securehashesonly, which is read only from local gitconfig and not the git-annex branch. doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn has the rationalle for doing it this way. There's no perfect solution; this seems to be the least-bad one. This commit was supported by the NSF-funded DataLad project.
This commit is contained in:
parent
6e0e7d885c
commit
e53070c1ff
7 changed files with 51 additions and 10 deletions
|
@ -1,6 +1,6 @@
|
|||
{- git-annex repository initialization
|
||||
-
|
||||
- Copyright 2011-2016 Joey Hess <id@joeyh.name>
|
||||
- Copyright 2011-2017 Joey Hess <id@joeyh.name>
|
||||
-
|
||||
- Licensed under the GNU GPL version 3 or higher.
|
||||
-}
|
||||
|
@ -26,6 +26,7 @@ import qualified Git.Objects
|
|||
import qualified Annex.Branch
|
||||
import Logs.UUID
|
||||
import Logs.Trust.Basic
|
||||
import Logs.Config
|
||||
import Types.TrustLevel
|
||||
import Annex.Version
|
||||
import Annex.Difference
|
||||
|
@ -110,6 +111,7 @@ initialize' mversion = do
|
|||
, unlessM isBareRepo
|
||||
switchHEADBack
|
||||
)
|
||||
propigateSecureHashesOnly
|
||||
createInodeSentinalFile False
|
||||
|
||||
uninitialize :: Annex ()
|
||||
|
@ -257,3 +259,12 @@ initSharedClone True = do
|
|||
u <- getUUID
|
||||
trustSet u UnTrusted
|
||||
setConfig (annexConfig "hardlink") (Git.Config.boolConfig True)
|
||||
|
||||
{- Propigate annex.securehashesonly from then global config to local
|
||||
- config. This makes a clone inherit a parent's setting, but once
|
||||
- a repository has a local setting, changes to the global config won't
|
||||
- affect it. -}
|
||||
propigateSecureHashesOnly :: Annex ()
|
||||
propigateSecureHashesOnly =
|
||||
maybe noop (setConfig (ConfigKey "annex.securehashesonly"))
|
||||
=<< getGlobalConfig "annex.securehashesonly"
|
||||
|
|
|
@ -12,6 +12,8 @@ git-annex (6.20170215) UNRELEASED; urgency=medium
|
|||
backend.
|
||||
* fsck: Warn about any files whose content is present, that don't
|
||||
use secure hashes, when annex.securehashesonly is set.
|
||||
* init: When annex.securehashesonly has been set with git-annex config,
|
||||
copy that value to the annex.securehashesonly git config.
|
||||
* Added --securehash option to match files using a secure hash function,
|
||||
and corresponding securehash preferred content expression.
|
||||
* sync, merge: Fail when the current branch has no commits yet, instead
|
||||
|
@ -50,6 +52,10 @@ git-annex (6.20170215) UNRELEASED; urgency=medium
|
|||
* Removed support for building with the old cryptohash library.
|
||||
Building with that library made git-annex not support SHA3; it's time
|
||||
for that to always be supported in case SHA2 dominoes.
|
||||
* config --set: As well as setting value in git-annex branch,
|
||||
set local gitconfig. This is needed especially for
|
||||
annex.securehashesonly, which is read only from local gitconfig and not
|
||||
the git-annex branch.
|
||||
|
||||
-- Joey Hess <id@joeyh.name> Tue, 14 Feb 2017 15:54:25 -0400
|
||||
|
||||
|
|
|
@ -9,6 +9,7 @@ module Command.Config where
|
|||
|
||||
import Command
|
||||
import Logs.Config
|
||||
import Config
|
||||
|
||||
cmd :: Command
|
||||
cmd = noMessages $ command "config" SectionSetup
|
||||
|
@ -52,12 +53,14 @@ seek (SetConfig name val) = commandAction $ do
|
|||
showStart name val
|
||||
next $ next $ do
|
||||
setGlobalConfig name val
|
||||
setConfig (ConfigKey name) val
|
||||
return True
|
||||
seek (UnsetConfig name) = commandAction $ do
|
||||
allowMessages
|
||||
showStart name "unset"
|
||||
next $ next $ do
|
||||
unsetGlobalConfig name
|
||||
unsetConfig (ConfigKey name)
|
||||
return True
|
||||
seek (GetConfig name) = commandAction $ do
|
||||
mv <- getGlobalConfig name
|
||||
|
|
|
@ -36,6 +36,23 @@ These settings can be overridden on a per-repository basis using
|
|||
|
||||
Set to true to make git-annex sync default to syncing content.
|
||||
|
||||
* `annex.securehashesonly`
|
||||
|
||||
Set to true to indicate that the repository should only use
|
||||
cryptographically secure hashes
|
||||
(SHA2, SHA3) and not insecure hashes (MD5, SHA1) for content.
|
||||
|
||||
When this is set, the contents of files using cryptographically
|
||||
insecure hashes will not be allowed to be added to the repository.
|
||||
|
||||
Also, git-annex fsck` will complain about any files present in
|
||||
the repository that use insecure hashes.
|
||||
|
||||
Note that this is only read from the git-annex branch by
|
||||
`git annex init`, and is copied to the corresponding git config setting.
|
||||
So, changes to the value in the git-annex branch won't affect a
|
||||
repository once it has been initialized.
|
||||
|
||||
# EXAMPLE
|
||||
|
||||
Suppose you want to prevent git annex sync from committing changes
|
||||
|
|
|
@ -840,6 +840,9 @@ Here are all the supported configuration settings.
|
|||
|
||||
Also, git-annex fsck` will complain about any files present in
|
||||
the repository that use insecure hashes.
|
||||
|
||||
To configure the behavior in new clones of the repository,
|
||||
this can be set in [[git-annex-config]].
|
||||
|
||||
* `annex.diskreserve`
|
||||
|
||||
|
|
|
@ -12,16 +12,14 @@ You need git-annex 6.20170228. Upgrade if you don't have it.
|
|||
|
||||
git-annex can use many types of [[backends]] and not all of them are
|
||||
secure. So, you need to configure git-annex to only use
|
||||
cryptographically secure hashes. Also, let's make sure annex.verify
|
||||
is set (it is by default, but let's override any global gitconfig setting
|
||||
for it).
|
||||
cryptographically secure hashes.
|
||||
|
||||
git annex config --set annex.securehashesonly true
|
||||
|
||||
Each new clone of the repository will then inherit that configuration.
|
||||
But, any existing clones will not, so this should be run in them:
|
||||
|
||||
git config annex.securehashesonly true
|
||||
git config annex.verify true
|
||||
|
||||
That needs to be run in every clone of the repository. This will prevent
|
||||
any annexed object using an insecure hash from reaching your repository,
|
||||
and it will verify the hashes when transferring objects.
|
||||
|
||||
It's important that all commits to the git repository are signed.
|
||||
Use `git commit --gpg-sign`, or enable the commit.gpgSign configuration.
|
||||
|
|
|
@ -3,6 +3,8 @@ that it could be used for a SHA1 collision attack. So, a signed git commit
|
|||
could point to a tree with such a key in it, and the blob for the key could
|
||||
have two versions with the same SHA1.
|
||||
|
||||
> All issues below are [[done]] --[[Joey]]
|
||||
|
||||
Users who want to use git-annex with signed commits to mitigate git's own
|
||||
SHA1 insecurities would like at least a way to disable the insecure
|
||||
git-annex backends:
|
||||
|
@ -82,7 +84,8 @@ Or, we can document this gotcha.
|
|||
> > change their behavior, although new ones will. That's a mixed
|
||||
> > blessing; it makes it harder to switch an existing repo to disallowing
|
||||
> > SHA1/URL/WORM, but an accidental/malicious re-enabling won't affect
|
||||
> > clones made while it was disabled.
|
||||
> > clones made while it was disabled.
|
||||
> > > This is done now.
|
||||
> >
|
||||
> > Could a repository be configured to either always disallow
|
||||
> > SHA1/URL/WORM, or always allow them, and then not let that be changed?
|
||||
|
|
Loading…
Reference in a new issue