From 025b8102e5741f437e970eb29593ced31b0554e4 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 27 Feb 2017 16:08:16 -0400 Subject: inheritable annex.securehashesonly * init: When annex.securehashesonly has been set with git-annex config, copy that value to the annex.securehashesonly git config. * config --set: As well as setting value in git-annex branch, set local gitconfig. This is needed especially for annex.securehashesonly, which is read only from local gitconfig and not the git-annex branch. doc/todo/sha1_collision_embedding_in_git-annex_keys.mdwn has the rationalle for doing it this way. There's no perfect solution; this seems to be the least-bad one. This commit was supported by the NSF-funded DataLad project. --- doc/tips/using_signed_git_commits.mdwn | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) (limited to 'doc/tips/using_signed_git_commits.mdwn') diff --git a/doc/tips/using_signed_git_commits.mdwn b/doc/tips/using_signed_git_commits.mdwn index 7b1c07edf..c02d2cbac 100644 --- a/doc/tips/using_signed_git_commits.mdwn +++ b/doc/tips/using_signed_git_commits.mdwn @@ -12,16 +12,14 @@ You need git-annex 6.20170228. Upgrade if you don't have it. git-annex can use many types of [[backends]] and not all of them are secure. So, you need to configure git-annex to only use -cryptographically secure hashes. Also, let's make sure annex.verify -is set (it is by default, but let's override any global gitconfig setting -for it). +cryptographically secure hashes. - git config annex.securehashesonly true - git config annex.verify true + git annex config --set annex.securehashesonly true + +Each new clone of the repository will then inherit that configuration. +But, any existing clones will not, so this should be run in them: -That needs to be run in every clone of the repository. This will prevent -any annexed object using an insecure hash from reaching your repository, -and it will verify the hashes when transferring objects. + git config annex.securehashesonly true It's important that all commits to the git repository are signed. Use `git commit --gpg-sign`, or enable the commit.gpgSign configuration. -- cgit v1.2.3