Age | Commit message (Collapse) | Author | Files | Lines |
|
When git-send-email is invoked with --compose, it will create a cover
letter template that is not a valid RFC2822 message by itself (e.g. it
has lines starting with "GIT: " that will be removed before the message
is sent). Refuse to sign such templated messages, because the contents
are going to be modified before the message is sent and the signature is
going to be invalid anyway.
Reported-by: Paul Moore <paul@paul-moore.com>
Link: https://github.com/stacked-git/stgit/issues/414
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Splitting at 78 characters produces strings that are too long when the
leading space/tab and the trailing CRLF are added. Split at 75
characters instead, which gives us a total length of 78, leading space
and CRLF included.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
GnuPG still bails if it is unable to write to GNUPGHOME, so use a
different fix for the problem by using TemporaryDirectory and passing
that as --homedir. This additionally fixes the problem of GnuPG leaving
behind foo~ files after it performs the pubkey import.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
When we create the temporary keyring, use a NamedTemporaryFile so we
don't have to handle the cases where HOME or GNUPGHOME aren't writable.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Up the version to 0.7.0-dev for new features.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Update versions to release patatt-0.6.0, required for b4 0.9.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
There is a bug in git-mailinfo that will return slightly different
results when we have an in-body git header terminated with CRLF vs. when
we have it terminated with just LF. Avoid this by always passing stdin
contents canonicalized to single-LF.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Add a mechanism that makes it easier to sign messages via a python
library call, e.g.:
import patatt
signed = patatt.rfc2822_sign(messagebytes)
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
After a bit of a hiatus, we are ready to go with the 0.5 release.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
If gpg.program or gpg.ssh.program are set, use those values instead of
using default gpg and ssh-keygen command options.
Signed-off-by: Konstantin Ryabitsev <konstantin.ryabitsev@linux.dev>
|
|
Minor typo fix for the man page.
Signed-off-by: Anuradha Weeraman <anuradha@debian.org>
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Git is about to gain ability to support openssh signatures, so introduce
this as a supported signature format for patatt.
To enable:
[patatt]
signingKey = openssh:~/.ssh/your-key-id.pub
Since openssh supports a number of crypto/hashing algorithms, this is
not algorithm-specific just as openpgp sigs are.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
If the From: header matched the identity on the key, we skipped adding
the i= field to the signature, however there are good reasons to always
have it in place. For example, a remailer service could be replacing
the From header with their own list header and moving the original From:
into X-Original-From. If we don't have the i= field present, then we
have no easy way to figure out who the signature belongs to.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
There wasn't an easy way to see how a failure was being determined by
GPG, so add the entire GPG status output to the debug log.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Link: https://lore.kernel.org/r/20211007165801.2313136-1-keescook@chromium.org
|
|
Kees is sending multiple patches lately, so add his key to the in-repo
keyring.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
If we're trying to cryptographically validate a message, not having a
signature is not a success (exit 0). Use a specific return code for this
condition and report it.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
We will create stable-0.4.y branch shortly to backport the fixes that
should go into 0.4.9.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Before writing the hook, make sure the .git/hooks path exists.
Reported-by: Nick Desaulniers <ndesaulniers@google.com>
Link: https://github.com/mricon/patatt/pull/1
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
When we receive both a stdin and the list of files, prefer the files
passed as params.
Reported-by: Nick Desaulniers <ndesaulniers@google.com>
Link: https://lore.kernel.org/20211004194521.e2syd25qzrgn5mzg@meerkat.local/
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
When we're creating our very first ed25519 key, use the selector name
and symlink it to be the default key for that identity instead of just
writing it out into "default". This allows us to do the following with
the default configuration:
git format-patch -1 --stdout | patatt sign | patatt validate
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Make it easy to enable a repo for signing. Instead of reading the
manpage and finding the commands to add to the sendemail-validate hook,
add a subcommand that will do it for you.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
This is basically what 0.4.5 should have been.
Signed-off-by: Konstantin Ryabitsev <konstantin.ryabitsev@linux.dev>
|
|
Hopefully, no other facepalm gotchas.
Signed-off-by: Konstantin Ryabitsev <konstantin.ryabitsev@linux.dev>
|
|
This was supposed to be fixed in d37d358c9ddd, but one of the last
things I did was to make NoKeyError overload ValidationError instead of
being its own exception. As a result, we stopped catching it properly,
unless we look for NoKeyError before everything else.
Signed-off-by: Konstantin Ryabitsev <konstantin.ryabitsev@linux.dev>
|
|
Relase with a few usability bugfixes.
Signed-off-by: Konstantin Ryabitsev <konstantin.ryabitsev@linux.dev>
|
|
Fix a problem where we incorrectly reported a missing public key for a
failing signature for the cases when the public key is in the default
keyring.
Signed-off-by: Konstantin Ryabitsev <konstantin.ryabitsev@linux.dev>
|
|
We can't assume that the git directory path is '.git' from the root of
the source tree. For example, this is not the correct path if patatt is
checked out as a git submodule. We should use `git rev-parse --git-dir`
to reliably determine the git directory path. We should also surround
the path in quotes in case the user has cloned patatt in a path
containing spaces.
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Konstantin Ryabitsev <konstantin.ryabitsev@linux.dev>
Link: https://lore.kernel.org/r/20210530163623.926-1-paul@pbarker.dev
|
|
When testing patatt with patches sent to a sr.ht hosted mailing list, it
was found that long header lines (such as the X-Developer-Signature
line) were re-encoded using the MIME encoded-word syntax (RFC 2047) when
an mbox archive is generated, causing patatt to choke on the resulting
text which looks like this:
X-Developer-Signature: v=1; a=openpgp-sha256; l=672; h=from:subject;
bh=C40yOKgIfnNIUP+OW9WyPdBfljkZPpfUL1NepOODlx8=; =?utf-8?q?b=3DowGbwMvMwCF2?=
=?utf-8?q?w7xIXuiX9CvG02pJDAmb67lTNi0+IeF97TL76vtKD7xjSjaluz0o/KfmZLX8rMi7_?=
=?utf-8?q?l3M6O0pZGMQ4GGTFFFl2z951+fqDJVt7b0gHw8xhZQIZwsDFKQATydFhZJi+fFfvJ?=
=?utf-8?q?8+0MF7GrfzWnP?=
K7mAM/3n/r/UC+bprf6/g114QYGdbHcsaK7b1nanfA4IeZi1V0lL26cruXUWxgSEnNDP1FrAA=
Avoiding this issue by neatly wrapping the X-Developer-Signature header
before sending doesn't appear to be possible without making invasive
changes to git-send-email and/or the Net::SMTP perl module. The header
content generated by patatt is wrapped at 78 characters as can be seen
here from a locally signed patch file:
X-Developer-Signature: v=1; a=openpgp-sha256; l=672; h=from:subject;
bh=C40yOKgIfnNIUP+OW9WyPdBfljkZPpfUL1NepOODlx8=;
b=owGbwMvMwCF2w7xIXuiX9CvG02pJDAmbN1xO2bT4hIT3tcvsq+8rPfCOKdmU7vag8J+ak9XysyLv
Xs7p7ChlYRDjYJAVU2TZPXvX5esPlmztvSEdDDOHlQlkCAMXpwBMpG0Dw/9Kpzgpc8UsQwOPK/taW6
dFnZyy5QlXPfNCC4WTc76ft9ZnZJjI37a17fP7sxvclKJ1tm36EhITcK62Pphje9KrmOxMJg4A
Running `git send-email --smtp-debug=1 0001.patch` shows that this is
joined into a single long line before the message is sent:
Net::SMTP::_SSL=GLOB(0x5646fbdc3ac8)>>> X-Developer-Signature: v=1; a=openpgp-sha256; l=672; h=from:subject; bh=C40yOKgIfnNIUP+OW9WyPdBfljkZPpfUL1NepOODlx8=; b=owGbwMvMwCF2w7xIXuiX9CvG02pJDAmb571P2bT4hIT3tcvsq+8rPfCOKdmU7vag8J+ak9XysyLv Xs7p7ChlYRDjYJAVU2TZPXvX5esPlmztvSEdDDOHlQlkCAMXpwBM5JA3I8O5hP6Tqm7lJst0rldcux 1V7M4q8T5o1fPU6Zs+hxj+SjvN8D/DK3rn8b0m34/Xy388Yeu8jvFdJf/c6Y6LDU7Hulj01nAAAA==
So we need to accept that the X-Developer-Signature line may be quite
long and so may be re-encoded by a mail server or archiver.
The Python email.header module provides the decode_header() and
make_header() functions which can be used to handle MIME encoded-word
syntax or other header manglings which may occur. The decode_header()
function requires a str argument so we must decode our bytes before
using this function. Thankfully, RFC 2822 makes life easy here as it
says that all header content must be composed of US-ASCII characters
(see section 2.2 of the RFC) so decoding is straightforward. The header
content is re-encoded into bytes after un-mangling to avoid having to
modify every other location in patatt where the header content is
accessed.
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Konstantin Ryabitsev <konstantin.ryabitsev@linux.dev>
Link: https://lore.kernel.org/r/20210531140539.7630-1-paul@pbarker.dev
|
|
Patatt hit a few news sources in the past few days, which resulted in
some expected commentary. Add some extra reasoning into the README that
would hopefully provide some answers to questions before they are asked.
Signed-off-by: Konstantin Ryabitsev <konstantin.ryabitsev@linux.dev>
|
|
Fix for the case when a key is added the repository but hasn't been
committed yet -- we were looking for it in the wrong subpath.
Signed-off-by: Konstantin Ryabitsev <konstantin.ryabitsev@linux.dev>
|
|
When the matching key is found in the default gnupg keyring, set keysrc
to a special value "(default keyring)/key-fingerprint", which would
allow implementing tools to run any additional checks (e.g. uid
matching, etc).
Signed-off-by: Konstantin Ryabitsev <konstantin.ryabitsev@linux.dev>
|
|
Preparing for b4 0.7.0 release.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Instead of doing bh validation as the last step, do it at the very
start. This way we can recognize body content modifications early on
before needing to do any signature validation at all.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
This returns better errors on brand new installs, so is worth a minor
dot release.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
When keysrc returns as "None" means that the check failed even using the
default keyring. In this case, return RES_NOKEY instead of RES_BADSIG.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
It's unlikely that we're going to be used in a situation where
user.email is not already set, but just in that case, make sure that we
give a nicer-looking error.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Let's bump to 0.4.0, so we can pull that into b4.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
I know that it doesn't matter, but the OCD part of me likes seeing the
h= value in a deterministic order.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
It is useful to sign the message-id header, because it is frequently
used as the patch identifier. Unfortunately, unless git-format-patch is
run with --thread, the message-id won't be generated until *after* the
sendemail-validate hook is invoked, so most of the time we won't end up
signing that header.
However, having this as an option is handy.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
No significant changes, mostly cleanups and better error reporting.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
I think it makes sense to use the selector by default with ed25519 keys,
as there are likely to be more than a single valid one per user.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
When we try to open a non-existent file, report a nice error instead of
just a long traceback.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Mostly readability changes.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Written in 2021, so reflect this in COPYING.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
It's already the default, but this makes sure that we don't get a
different output if someone has mailinfo.scissors set in gitconfig.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Time to cut a 0.2.0, though I expect 0.3.0 won't be too far behind.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
We need to have a way to specify other git dirs as sources, so change
how our ref: locations work. Instead of:
ref:[refname]:[subpath]
we now have:
ref:[repopath]:[refname]:[subpath]
Additionally, add a way to deal with one level of symlinks.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
We want to pass some better information about why verification failed,
if only because "we don't have a key" is not nearly as bad as "we have a
key and it actively failed verification".
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Instead of returning a list of goodsigs and throwing a ValidationError
if even one of them has failed, return a list of all sigs -- failed or
otherwise, and let the caller decide what to do with it.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
It's time to cut the first release, I think.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Don't die when running outside of a git checkout, just ignore ref:
keyring locations.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Don't backtrace all over the screen -- give a nice error message.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
- be more discerning about multival settings in gitconfig
- fix a minor crasher
- add and document a DCO requirement
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Add ed25519 and pgp signed samples.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Will need to duplicate most of it to b4, but it's good to have it in
both locations. B4 could be an overkill for someone just looking to
validate a couple of patches.
I may change my mind later and just move all of the maintainer docs into
b4, once they take final shape. :)
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Document installing and getting started as contributor.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Most of the time we ignore l= fields, because there is a way to abuse
this by appending additional unsigned content beneath attested data.
However, for lists that add footer info to bodies we want to be able to
enable this configurable, so turn it on by setting:
[patatt]
trimbody = yes
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
- support validating an entire mbox file
- fix sendemail hook invocation
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Handle more errors and cache generated keyring when importing openpgp
keys.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Don't just print a traceback when we can't find the files to sign.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Let's include public key information in the header as well, for
informational purposes. Obviously, we won't use it for validation, but
since most of these messages will be logged in public-inbox, it provides
a nice trail of historical key usage data.
Additionally, we may want to implement some kind of trust-on-first-use
setup in the future, and this allows us easy access to key information
in every message.
The header is intentionally unsigned.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
There was too much passing around of parameters, so switch to using two
auxiliary classes for most of the signing/validation work. This also
more properly implements DKIM and is just generally much cleaner.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|
|
Docs and cleanups are necessary, as well as some tests. However, this
implements most of the features I planned for the proof-of-concept
implementation.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
|