diff options
author | Joey Hess <joeyh@joeyh.name> | 2017-02-27 16:08:16 -0400 |
---|---|---|
committer | Joey Hess <joeyh@joeyh.name> | 2017-02-27 16:08:23 -0400 |
commit | 025b8102e5741f437e970eb29593ced31b0554e4 (patch) | |
tree | 9c6d4376dfd3740c4c0f902bae6015278b23d0b0 /doc | |
parent | acaaf842b5afbf3e6d0c0095cbe15699ab2419d3 (diff) |
inheritable annex.securehashesonly
* init: When annex.securehashesonly has been set with git-annex config,
copy that value to the annex.securehashesonly git config.
* config --set: As well as setting value in git-annex branch,
set local gitconfig. This is needed especially for
annex.securehashesonly, which is read only from local gitconfig and not
the git-annex branch.
doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn has the
rationalle for doing it this way. There's no perfect solution; this
seems to be the least-bad one.
This commit was supported by the NSF-funded DataLad project.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/git-annex-config.mdwn | 17 | ||||
-rw-r--r-- | doc/git-annex.mdwn | 3 | ||||
-rw-r--r-- | doc/tips/using_signed_git_commits.mdwn | 14 | ||||
-rw-r--r-- | doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn | 5 |
4 files changed, 30 insertions, 9 deletions
diff --git a/doc/git-annex-config.mdwn b/doc/git-annex-config.mdwn index dd29055b8..8b505cde3 100644 --- a/doc/git-annex-config.mdwn +++ b/doc/git-annex-config.mdwn @@ -36,6 +36,23 @@ These settings can be overridden on a per-repository basis using Set to true to make git-annex sync default to syncing content. +* `annex.securehashesonly` + + Set to true to indicate that the repository should only use + cryptographically secure hashes + (SHA2, SHA3) and not insecure hashes (MD5, SHA1) for content. + + When this is set, the contents of files using cryptographically + insecure hashes will not be allowed to be added to the repository. + + Also, git-annex fsck` will complain about any files present in + the repository that use insecure hashes. + + Note that this is only read from the git-annex branch by + `git annex init`, and is copied to the corresponding git config setting. + So, changes to the value in the git-annex branch won't affect a + repository once it has been initialized. + # EXAMPLE Suppose you want to prevent git annex sync from committing changes diff --git a/doc/git-annex.mdwn b/doc/git-annex.mdwn index 2f7635f41..e38d31eaa 100644 --- a/doc/git-annex.mdwn +++ b/doc/git-annex.mdwn @@ -840,6 +840,9 @@ Here are all the supported configuration settings. Also, git-annex fsck` will complain about any files present in the repository that use insecure hashes. + + To configure the behavior in new clones of the repository, + this can be set in [[git-annex-config]]. * `annex.diskreserve` diff --git a/doc/tips/using_signed_git_commits.mdwn b/doc/tips/using_signed_git_commits.mdwn index 7b1c07edf..c02d2cbac 100644 --- a/doc/tips/using_signed_git_commits.mdwn +++ b/doc/tips/using_signed_git_commits.mdwn @@ -12,16 +12,14 @@ You need git-annex 6.20170228. Upgrade if you don't have it. git-annex can use many types of [[backends]] and not all of them are secure. So, you need to configure git-annex to only use -cryptographically secure hashes. Also, let's make sure annex.verify -is set (it is by default, but let's override any global gitconfig setting -for it). +cryptographically secure hashes. - git config annex.securehashesonly true - git config annex.verify true + git annex config --set annex.securehashesonly true + +Each new clone of the repository will then inherit that configuration. +But, any existing clones will not, so this should be run in them: -That needs to be run in every clone of the repository. This will prevent -any annexed object using an insecure hash from reaching your repository, -and it will verify the hashes when transferring objects. + git config annex.securehashesonly true It's important that all commits to the git repository are signed. Use `git commit --gpg-sign`, or enable the commit.gpgSign configuration. diff --git a/doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn b/doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn index 2f345a088..37da39a8d 100644 --- a/doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn +++ b/doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn @@ -3,6 +3,8 @@ that it could be used for a SHA1 collision attack. So, a signed git commit could point to a tree with such a key in it, and the blob for the key could have two versions with the same SHA1. +> All issues below are [[done]] --[[Joey]] + Users who want to use git-annex with signed commits to mitigate git's own SHA1 insecurities would like at least a way to disable the insecure git-annex backends: @@ -82,7 +84,8 @@ Or, we can document this gotcha. > > change their behavior, although new ones will. That's a mixed > > blessing; it makes it harder to switch an existing repo to disallowing > > SHA1/URL/WORM, but an accidental/malicious re-enabling won't affect -> > clones made while it was disabled. +> > clones made while it was disabled. +> > > This is done now. > > > > Could a repository be configured to either always disallow > > SHA1/URL/WORM, or always allow them, and then not let that be changed? |