|
4 | 4 |
|
5 | 5 | > [docs](https://mirrors.edge.kernel.org/pub/software/scm/git/docs/git-fast-import.html) |
6 | 6 |
|
| 7 | + |
7 | 8 | ### cheatsheet |
8 | 9 |
|
9 | 10 | ` GIT_SEQUENCE_EDITOR=: git rebase -i HEAD~3` <br> |
|
13 | 14 |
|
14 | 15 | `/info/refs?service=git-receive-pack` |
15 | 16 |
|
| 17 | +### Git Integrity |
| 18 | + |
| 19 | +> [source, https://mikegerwitz.com/2012/05/a-git-horror-story-repository-integrity-with-signed-commits#commit-history](https://mikegerwitz.com/2012/05/a-git-horror-story-repository-integrity-with-signed-commits#commit-history) |
| 20 | +
|
| 21 | +It is important to understand that the integrity of your repository guaranteed only if a hash collision cannot be created—that is, if an attacker were able to create the same SHA-1 hash with different data, then the child commit(s) would still be valid and the repository would have been successfully compromised. Vulnerabilities have been known in SHA-1 since 2005 that allow hashes to be computed faster than brute force, although they are not cheap to exploit. Given that, while your repository may be safe for now, there will come some point in the future where SHA-1 will be considered as crippled as MD5 is today. At that point in time, however, maybe Git will offer a secure migration solution to an algorithm like SHA-256 or better. Indeed, SHA-1 hashes were never intended to make Git cryptographically secure. |
| 22 | + |
| 23 | + |
| 24 | + |
| 25 | +```bash |
| 26 | +git log --show-signature \ |
| 27 | + | grep 'key ID' \ |
| 28 | + | grep -o '[A-Z0-9]\+$' \ |
| 29 | + | sort \ |
| 30 | + | uniq \ |
| 31 | + | xargs gpg --keyserver key.server.org --recv-keys $keys |
| 32 | +``` |
| 33 | + |
| 34 | + |
| 35 | +```bash |
| 36 | +git log --pretty="format:^%H$t%aN$t%s$t%G?" --show-signature \ |
| 37 | +| grep '^\^\|gpg: .*not certified' \ |
| 38 | +| awk '' |
| 39 | +``` |
| 40 | + |
| 41 | +```bash |
| 42 | +git log --pretty="format:^%H$t%aN$t%s$t%G?" --show-signature |
| 43 | +``` |
| 44 | + |
| 45 | +```bash |
| 46 | +#!/bin/sh |
| 47 | +# |
| 48 | +# Validate signatures on only direct commits and merge commits for a particular |
| 49 | +# branch (current branch) |
| 50 | +## |
| 51 | + |
| 52 | +# if a ref is provided, append range spec to include all children |
| 53 | +chkafter="${1+$1..}" |
| 54 | + |
| 55 | +# note: bash users may instead use $'\t'; the echo statement below is a more |
| 56 | +# portable option (-e is unsupported with /bin/sh) |
| 57 | +t=$( echo '\t' ) |
| 58 | + |
| 59 | +# Check every commit after chkafter (or all commits if chkafter was not |
| 60 | +# provided) for a trusted signature, listing invalid commits. %G? will output |
| 61 | +# "G" if the signature is trusted. |
| 62 | +git log --pretty="format:%H$t%aN$t%s$t%G?" "${chkafter:-HEAD}" --first-parent \ |
| 63 | + | grep -v "${t}G$" |
| 64 | + |
| 65 | +# grep will exit with a non-zero status if no matches are found, which we |
| 66 | +# consider a success, so invert it |
| 67 | +[ $? -gt 0 ] |
| 68 | +``` |
| 69 | + |
16 | 70 | ### Git Absorb |
17 | 71 |
|
18 | 72 | [https://github.com/tummychow/git-absorb](https://github.com/tummychow/git-absorb) |
|
0 commit comments