Merge #9880: Verify Tree-SHA512s in merge commits, enforce sigs are not SHA1

bbd7579 Fix regsig checking for subkey sigs in verify-commits (Matt Corallo)
d025bc7 Allow any subkey in verify-commits (Matt Corallo)
eddc77a Add comment re: why SHA1 is disabled (Peter Todd)
d9c450f Verify Tree-SHA512s in merge commits, enforce sigs are not SHA1 (Matt Corallo)
be908a6 Fail merge if there are any symlinks (Matt Corallo)

Tree-SHA512: bb66c59cc1c6b1c86d7d8be7adb0769c6598c0e28ad927409941f30af87d390521e82fc13700ee22e92db1bd571db3e19a152ec7b2c0349c6e06f5de62c0b65f
This commit is contained in:
Wladimir J. van der Laan 2017-03-06 17:19:15 +01:00
commit 4df8213b98
No known key found for this signature in database
GPG key ID: 74810B012346C9A6
5 changed files with 101 additions and 12 deletions

View file

@ -70,6 +70,14 @@ def ask_prompt(text):
print("",file=stderr) print("",file=stderr)
return reply return reply
def get_symlink_files():
files = sorted(subprocess.check_output([GIT, 'ls-tree', '--full-tree', '-r', 'HEAD']).splitlines())
ret = []
for f in files:
if (int(f.decode('utf-8').split(" ")[0], 8) & 0o170000) == 0o120000:
ret.append(f.decode('utf-8').split("\t")[1])
return ret
def tree_sha512sum(): def tree_sha512sum():
files = sorted(subprocess.check_output([GIT, 'ls-tree', '--full-tree', '-r', '--name-only', 'HEAD']).splitlines()) files = sorted(subprocess.check_output([GIT, 'ls-tree', '--full-tree', '-r', '--name-only', 'HEAD']).splitlines())
overall = hashlib.sha512() overall = hashlib.sha512()
@ -200,6 +208,12 @@ def main():
print("ERROR: Creating merge failed (already merged?).",file=stderr) print("ERROR: Creating merge failed (already merged?).",file=stderr)
exit(4) exit(4)
symlink_files = get_symlink_files()
for f in symlink_files;
print("ERROR: File %s was a symlink" % f)
if len(symlink_files) > 0:
exit(4)
# Put tree SHA512 into the message # Put tree SHA512 into the message
try: try:
first_sha512 = tree_sha512sum() first_sha512 = tree_sha512sum()

View file

@ -8,21 +8,31 @@ VALID=false
REVSIG=false REVSIG=false
IFS=' IFS='
' '
for LINE in $(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null); do if [ "$BITCOIN_VERIFY_COMMITS_ALLOW_SHA1" = 1 ]; then
GPG_RES="$(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null)"
else
# Note how we've disabled SHA1 with the --weak-digest option, disabling
# signatures - including selfsigs - that use SHA1. While you might think that
# collision attacks shouldn't be an issue as they'd be an attack on yourself,
# in fact because what's being signed is a commit object that's
# semi-deterministically generated by untrusted input (the pull-req) in theory
# an attacker could construct a pull-req that results in a commit object that
# they've created a collision for. Not the most likely attack, but preventing
# it is pretty easy so we do so as a "belt-and-suspenders" measure.
GPG_RES="$(echo "$INPUT" | gpg --trust-model always --weak-digest sha1 "$@" 2>/dev/null)"
fi
for LINE in $(echo "$GPG_RES"); do
case "$LINE" in case "$LINE" in
"[GNUPG:] VALIDSIG "*) "[GNUPG:] VALIDSIG "*)
while read KEY; do while read KEY; do
case "$LINE" in "[GNUPG:] VALIDSIG $KEY "*) VALID=true;; esac [ "${LINE#?GNUPG:? VALIDSIG * * * * * * * * * }" = "$KEY" ] && VALID=true
done < ./contrib/verify-commits/trusted-keys done < ./contrib/verify-commits/trusted-keys
;; ;;
"[GNUPG:] REVKEYSIG "*) "[GNUPG:] REVKEYSIG "*)
[ "$BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG" != 1 ] && exit 1 [ "$BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG" != 1 ] && exit 1
while read KEY; do
case "$LINE" in "[GNUPG:] REVKEYSIG ${KEY#????????????????????????} "*)
REVSIG=true REVSIG=true
GOODREVSIG="[GNUPG:] GOODSIG ${KEY#????????????????????????} " GOODREVSIG="[GNUPG:] GOODSIG ${LINE#* * *}"
esac
done < ./contrib/verify-commits/trusted-keys
;; ;;
esac esac
done done

View file

@ -1,4 +1,4 @@
71A3B16735405025D447E8F274810B012346C9A6 71A3B16735405025D447E8F274810B012346C9A6
3F1888C6DCA92A6499C4911FDBA1A67379A1A931 133EAC179436F14A5CF1B794860FEB804E669320
32EE5C4C3FA15CCADB46ABE529D4BCB6416F53EC 32EE5C4C3FA15CCADB46ABE529D4BCB6416F53EC
FE09B823E6D83A3BC7983EAA2D7F2372E50FE137 B8B3F1C0E58C15DB6A81D30C3648A882F4316B9B

View file

@ -0,0 +1 @@
b00ba6251f71fa1edaabdf809514e1bc3c67862e

View file

@ -9,7 +9,10 @@
DIR=$(dirname "$0") DIR=$(dirname "$0")
[ "/${DIR#/}" != "$DIR" ] && DIR=$(dirname "$(pwd)/$0") [ "/${DIR#/}" != "$DIR" ] && DIR=$(dirname "$(pwd)/$0")
echo "Using verify-commits data from ${DIR}"
VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root") VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root")
VERIFIED_SHA512_ROOT=$(cat "${DIR}/trusted-sha512-root-commit")
REVSIG_ALLOWED=$(cat "${DIR}/allow-revsig-commits") REVSIG_ALLOWED=$(cat "${DIR}/allow-revsig-commits")
HAVE_FAILED=false HAVE_FAILED=false
@ -17,18 +20,73 @@ IS_SIGNED () {
if [ $1 = $VERIFIED_ROOT ]; then if [ $1 = $VERIFIED_ROOT ]; then
return 0; return 0;
fi fi
VERIFY_TREE=$2
NO_SHA1=$3
if [ $1 = $VERIFIED_SHA512_ROOT ]; then
if [ "$VERIFY_TREE" = "1" ]; then
echo "All Tree-SHA512s matched up to $VERIFIED_SHA512_ROOT" > /dev/stderr
fi
VERIFY_TREE=0
NO_SHA1=0
fi
if [ "$NO_SHA1" = "1" ]; then
export BITCOIN_VERIFY_COMMITS_ALLOW_SHA1=0
else
export BITCOIN_VERIFY_COMMITS_ALLOW_SHA1=1
fi
if [ "${REVSIG_ALLOWED#*$1}" != "$REVSIG_ALLOWED" ]; then if [ "${REVSIG_ALLOWED#*$1}" != "$REVSIG_ALLOWED" ]; then
export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=1 export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=1
else else
export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=0 export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=0
fi fi
if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then
return 1; return 1;
fi fi
if [ "$VERIFY_TREE" = 1 ]; then
IFS_CACHE="$IFS"
IFS='
'
for LINE in $(git ls-tree --full-tree -r $1); do
case "$LINE" in
"12"*)
echo "Repo contains symlinks" > /dev/stderr
IFS="$IFS_CACHE"
return 1
;;
esac
done
IFS="$IFS_CACHE"
FILE_HASHES=""
for FILE in $(git ls-tree --full-tree -r --name-only $1 | LANG=C sort); do
HASH=$(git cat-file blob $1:"$FILE" | sha512sum | { read FIRST OTHER; echo $FIRST; } )
[ "$FILE_HASHES" != "" ] && FILE_HASHES="$FILE_HASHES"$'\n'
FILE_HASHES="$FILE_HASHES$HASH $FILE"
done
HASH_MATCHES=0
MSG="$(git show -s --format=format:%B $1 | tail -n1)"
case "$MSG -" in
"Tree-SHA512: $(echo "$FILE_HASHES" | sha512sum)")
HASH_MATCHES=1;;
esac
if [ "$HASH_MATCHES" = "0" ]; then
echo "Tree-SHA512 did not match for commit $1" > /dev/stderr
HAVE_FAILED=true
return 1
fi
fi
local PARENTS local PARENTS
PARENTS=$(git show -s --format=format:%P $1) PARENTS=$(git show -s --format=format:%P $1)
for PARENT in $PARENTS; do for PARENT in $PARENTS; do
if IS_SIGNED $PARENT; then if IS_SIGNED $PARENT $VERIFY_TREE $NO_SHA1; then
return 0; return 0;
fi fi
break break
@ -50,7 +108,13 @@ else
TEST_COMMIT="$1" TEST_COMMIT="$1"
fi fi
IS_SIGNED "$TEST_COMMIT" DO_CHECKOUT_TEST=0
if [ x"$2" = "x--tree-checks" ]; then
DO_CHECKOUT_TEST=1
fi
IS_SIGNED "$TEST_COMMIT" "$DO_CHECKOUT_TEST" 1
RES=$? RES=$?
if [ "$RES" = 1 ]; then if [ "$RES" = 1 ]; then
if ! "$HAVE_FAILED"; then if ! "$HAVE_FAILED"; then