From e53070c1ff7ad71018084d88894fa5737ae901da Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 27 Feb 2017 16:08:16 -0400 Subject: [PATCH] inheritable annex.securehashesonly * init: When annex.securehashesonly has been set with git-annex config, copy that value to the annex.securehashesonly git config. * config --set: As well as setting value in git-annex branch, set local gitconfig. This is needed especially for annex.securehashesonly, which is read only from local gitconfig and not the git-annex branch. doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn has the rationalle for doing it this way. There's no perfect solution; this seems to be the least-bad one. This commit was supported by the NSF-funded DataLad project. --- Annex/Init.hs | 13 ++++++++++++- CHANGELOG | 6 ++++++ Command/Config.hs | 3 +++ doc/git-annex-config.mdwn | 17 +++++++++++++++++ doc/git-annex.mdwn | 3 +++ doc/tips/using_signed_git_commits.mdwn | 14 ++++++-------- ...1_collision_embedding_in_git-annex_keys.mdwn | 5 ++++- 7 files changed, 51 insertions(+), 10 deletions(-) diff --git a/Annex/Init.hs b/Annex/Init.hs index 3427c0049d..53fbe35f27 100644 --- a/Annex/Init.hs +++ b/Annex/Init.hs @@ -1,6 +1,6 @@ {- git-annex repository initialization - - - Copyright 2011-2016 Joey Hess + - Copyright 2011-2017 Joey Hess - - Licensed under the GNU GPL version 3 or higher. -} @@ -26,6 +26,7 @@ import qualified Git.Objects import qualified Annex.Branch import Logs.UUID import Logs.Trust.Basic +import Logs.Config import Types.TrustLevel import Annex.Version import Annex.Difference @@ -110,6 +111,7 @@ initialize' mversion = do , unlessM isBareRepo switchHEADBack ) + propigateSecureHashesOnly createInodeSentinalFile False uninitialize :: Annex () @@ -257,3 +259,12 @@ initSharedClone True = do u <- getUUID trustSet u UnTrusted setConfig (annexConfig "hardlink") (Git.Config.boolConfig True) + +{- Propigate annex.securehashesonly from then global config to local + - config. This makes a clone inherit a parent's setting, but once + - a repository has a local setting, changes to the global config won't + - affect it. -} +propigateSecureHashesOnly :: Annex () +propigateSecureHashesOnly = + maybe noop (setConfig (ConfigKey "annex.securehashesonly")) + =<< getGlobalConfig "annex.securehashesonly" diff --git a/CHANGELOG b/CHANGELOG index d301db75f6..c7b3b97230 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -12,6 +12,8 @@ git-annex (6.20170215) UNRELEASED; urgency=medium backend. * fsck: Warn about any files whose content is present, that don't use secure hashes, when annex.securehashesonly is set. + * init: When annex.securehashesonly has been set with git-annex config, + copy that value to the annex.securehashesonly git config. * Added --securehash option to match files using a secure hash function, and corresponding securehash preferred content expression. * sync, merge: Fail when the current branch has no commits yet, instead @@ -50,6 +52,10 @@ git-annex (6.20170215) UNRELEASED; urgency=medium * Removed support for building with the old cryptohash library. Building with that library made git-annex not support SHA3; it's time for that to always be supported in case SHA2 dominoes. + * config --set: As well as setting value in git-annex branch, + set local gitconfig. This is needed especially for + annex.securehashesonly, which is read only from local gitconfig and not + the git-annex branch. -- Joey Hess Tue, 14 Feb 2017 15:54:25 -0400 diff --git a/Command/Config.hs b/Command/Config.hs index c9b6a7b0b4..5da1960446 100644 --- a/Command/Config.hs +++ b/Command/Config.hs @@ -9,6 +9,7 @@ module Command.Config where import Command import Logs.Config +import Config cmd :: Command cmd = noMessages $ command "config" SectionSetup @@ -52,12 +53,14 @@ seek (SetConfig name val) = commandAction $ do showStart name val next $ next $ do setGlobalConfig name val + setConfig (ConfigKey name) val return True seek (UnsetConfig name) = commandAction $ do allowMessages showStart name "unset" next $ next $ do unsetGlobalConfig name + unsetConfig (ConfigKey name) return True seek (GetConfig name) = commandAction $ do mv <- getGlobalConfig name diff --git a/doc/git-annex-config.mdwn b/doc/git-annex-config.mdwn index dd29055b83..8b505cde30 100644 --- a/doc/git-annex-config.mdwn +++ b/doc/git-annex-config.mdwn @@ -36,6 +36,23 @@ These settings can be overridden on a per-repository basis using Set to true to make git-annex sync default to syncing content. +* `annex.securehashesonly` + + Set to true to indicate that the repository should only use + cryptographically secure hashes + (SHA2, SHA3) and not insecure hashes (MD5, SHA1) for content. + + When this is set, the contents of files using cryptographically + insecure hashes will not be allowed to be added to the repository. + + Also, git-annex fsck` will complain about any files present in + the repository that use insecure hashes. + + Note that this is only read from the git-annex branch by + `git annex init`, and is copied to the corresponding git config setting. + So, changes to the value in the git-annex branch won't affect a + repository once it has been initialized. + # EXAMPLE Suppose you want to prevent git annex sync from committing changes diff --git a/doc/git-annex.mdwn b/doc/git-annex.mdwn index 2f7635f413..e38d31eaa4 100644 --- a/doc/git-annex.mdwn +++ b/doc/git-annex.mdwn @@ -840,6 +840,9 @@ Here are all the supported configuration settings. Also, git-annex fsck` will complain about any files present in the repository that use insecure hashes. + + To configure the behavior in new clones of the repository, + this can be set in [[git-annex-config]]. * `annex.diskreserve` diff --git a/doc/tips/using_signed_git_commits.mdwn b/doc/tips/using_signed_git_commits.mdwn index 7b1c07edfe..c02d2cbac2 100644 --- a/doc/tips/using_signed_git_commits.mdwn +++ b/doc/tips/using_signed_git_commits.mdwn @@ -12,16 +12,14 @@ You need git-annex 6.20170228. Upgrade if you don't have it. git-annex can use many types of [[backends]] and not all of them are secure. So, you need to configure git-annex to only use -cryptographically secure hashes. Also, let's make sure annex.verify -is set (it is by default, but let's override any global gitconfig setting -for it). +cryptographically secure hashes. + + git annex config --set annex.securehashesonly true + +Each new clone of the repository will then inherit that configuration. +But, any existing clones will not, so this should be run in them: git config annex.securehashesonly true - git config annex.verify true - -That needs to be run in every clone of the repository. This will prevent -any annexed object using an insecure hash from reaching your repository, -and it will verify the hashes when transferring objects. It's important that all commits to the git repository are signed. Use `git commit --gpg-sign`, or enable the commit.gpgSign configuration. diff --git a/doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn b/doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn index 2f345a088a..37da39a8d2 100644 --- a/doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn +++ b/doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn @@ -3,6 +3,8 @@ that it could be used for a SHA1 collision attack. So, a signed git commit could point to a tree with such a key in it, and the blob for the key could have two versions with the same SHA1. +> All issues below are [[done]] --[[Joey]] + Users who want to use git-annex with signed commits to mitigate git's own SHA1 insecurities would like at least a way to disable the insecure git-annex backends: @@ -82,7 +84,8 @@ Or, we can document this gotcha. > > change their behavior, although new ones will. That's a mixed > > blessing; it makes it harder to switch an existing repo to disallowing > > SHA1/URL/WORM, but an accidental/malicious re-enabling won't affect -> > clones made while it was disabled. +> > clones made while it was disabled. +> > > This is done now. > > > > Could a repository be configured to either always disallow > > SHA1/URL/WORM, or always allow them, and then not let that be changed?