inheritable annex.securehashesonly

* init: When annex.securehashesonly has been set with git-annex config,
  copy that value to the annex.securehashesonly git config.
* config --set: As well as setting value in git-annex branch,
  set local gitconfig. This is needed especially for
  annex.securehashesonly, which is read only from local gitconfig and not
  the git-annex branch.

doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn has the
rationalle for doing it this way. There's no perfect solution; this
seems to be the least-bad one.

This commit was supported by the NSF-funded DataLad project.
This commit is contained in:
Joey Hess 2017-02-27 16:08:16 -04:00
parent 6e0e7d885c
commit e53070c1ff
No known key found for this signature in database
GPG key ID: C910D9222512E3C7
7 changed files with 51 additions and 10 deletions

View file

@ -1,6 +1,6 @@
{- git-annex repository initialization
-
- Copyright 2011-2016 Joey Hess <id@joeyh.name>
- Copyright 2011-2017 Joey Hess <id@joeyh.name>
-
- Licensed under the GNU GPL version 3 or higher.
-}
@ -26,6 +26,7 @@ import qualified Git.Objects
import qualified Annex.Branch
import Logs.UUID
import Logs.Trust.Basic
import Logs.Config
import Types.TrustLevel
import Annex.Version
import Annex.Difference
@ -110,6 +111,7 @@ initialize' mversion = do
, unlessM isBareRepo
switchHEADBack
)
propigateSecureHashesOnly
createInodeSentinalFile False
uninitialize :: Annex ()
@ -257,3 +259,12 @@ initSharedClone True = do
u <- getUUID
trustSet u UnTrusted
setConfig (annexConfig "hardlink") (Git.Config.boolConfig True)
{- Propigate annex.securehashesonly from then global config to local
- config. This makes a clone inherit a parent's setting, but once
- a repository has a local setting, changes to the global config won't
- affect it. -}
propigateSecureHashesOnly :: Annex ()
propigateSecureHashesOnly =
maybe noop (setConfig (ConfigKey "annex.securehashesonly"))
=<< getGlobalConfig "annex.securehashesonly"

View file

@ -12,6 +12,8 @@ git-annex (6.20170215) UNRELEASED; urgency=medium
backend.
* fsck: Warn about any files whose content is present, that don't
use secure hashes, when annex.securehashesonly is set.
* init: When annex.securehashesonly has been set with git-annex config,
copy that value to the annex.securehashesonly git config.
* Added --securehash option to match files using a secure hash function,
and corresponding securehash preferred content expression.
* sync, merge: Fail when the current branch has no commits yet, instead
@ -50,6 +52,10 @@ git-annex (6.20170215) UNRELEASED; urgency=medium
* Removed support for building with the old cryptohash library.
Building with that library made git-annex not support SHA3; it's time
for that to always be supported in case SHA2 dominoes.
* config --set: As well as setting value in git-annex branch,
set local gitconfig. This is needed especially for
annex.securehashesonly, which is read only from local gitconfig and not
the git-annex branch.
-- Joey Hess <id@joeyh.name> Tue, 14 Feb 2017 15:54:25 -0400

View file

@ -9,6 +9,7 @@ module Command.Config where
import Command
import Logs.Config
import Config
cmd :: Command
cmd = noMessages $ command "config" SectionSetup
@ -52,12 +53,14 @@ seek (SetConfig name val) = commandAction $ do
showStart name val
next $ next $ do
setGlobalConfig name val
setConfig (ConfigKey name) val
return True
seek (UnsetConfig name) = commandAction $ do
allowMessages
showStart name "unset"
next $ next $ do
unsetGlobalConfig name
unsetConfig (ConfigKey name)
return True
seek (GetConfig name) = commandAction $ do
mv <- getGlobalConfig name

View file

@ -36,6 +36,23 @@ These settings can be overridden on a per-repository basis using
Set to true to make git-annex sync default to syncing content.
* `annex.securehashesonly`
Set to true to indicate that the repository should only use
cryptographically secure hashes
(SHA2, SHA3) and not insecure hashes (MD5, SHA1) for content.
When this is set, the contents of files using cryptographically
insecure hashes will not be allowed to be added to the repository.
Also, git-annex fsck` will complain about any files present in
the repository that use insecure hashes.
Note that this is only read from the git-annex branch by
`git annex init`, and is copied to the corresponding git config setting.
So, changes to the value in the git-annex branch won't affect a
repository once it has been initialized.
# EXAMPLE
Suppose you want to prevent git annex sync from committing changes

View file

@ -840,6 +840,9 @@ Here are all the supported configuration settings.
Also, git-annex fsck` will complain about any files present in
the repository that use insecure hashes.
To configure the behavior in new clones of the repository,
this can be set in [[git-annex-config]].
* `annex.diskreserve`

View file

@ -12,16 +12,14 @@ You need git-annex 6.20170228. Upgrade if you don't have it.
git-annex can use many types of [[backends]] and not all of them are
secure. So, you need to configure git-annex to only use
cryptographically secure hashes. Also, let's make sure annex.verify
is set (it is by default, but let's override any global gitconfig setting
for it).
cryptographically secure hashes.
git annex config --set annex.securehashesonly true
Each new clone of the repository will then inherit that configuration.
But, any existing clones will not, so this should be run in them:
git config annex.securehashesonly true
git config annex.verify true
That needs to be run in every clone of the repository. This will prevent
any annexed object using an insecure hash from reaching your repository,
and it will verify the hashes when transferring objects.
It's important that all commits to the git repository are signed.
Use `git commit --gpg-sign`, or enable the commit.gpgSign configuration.

View file

@ -3,6 +3,8 @@ that it could be used for a SHA1 collision attack. So, a signed git commit
could point to a tree with such a key in it, and the blob for the key could
have two versions with the same SHA1.
> All issues below are [[done]] --[[Joey]]
Users who want to use git-annex with signed commits to mitigate git's own
SHA1 insecurities would like at least a way to disable the insecure
git-annex backends:
@ -82,7 +84,8 @@ Or, we can document this gotcha.
> > change their behavior, although new ones will. That's a mixed
> > blessing; it makes it harder to switch an existing repo to disallowing
> > SHA1/URL/WORM, but an accidental/malicious re-enabling won't affect
> > clones made while it was disabled.
> > clones made while it was disabled.
> > > This is done now.
> >
> > Could a repository be configured to either always disallow
> > SHA1/URL/WORM, or always allow them, and then not let that be changed?