bzr does not check gpg signature policy

Bug #297610 reported by Maksym Tiurin
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bazaar
Confirmed
Medium
Unassigned
Breezy
Triaged
Low
Unassigned

Bug Description

bzr doesn't process an option 'check_signatures' in '.bzr/branch/branch.conf' on a server.

If there is an inscription 'check_signatures = require' on a server, the client still can make unsigned commit.

To check:
$ bzr init-repo --no-trees /tmp/test
$ bzr init-repo test && cd test
$ bzr init /tmp/test/test1
$ echo "check_signatures = require" > /tmp/test/test1/.bzr/branch/branch.conf
$ bzr checkout /tmp/test/test1 && cd test1
$ touch aaa
$ bzr add
added aaa
$ cat ~/.bazaar/bazaar.conf
[DEFAULT]
email = Maksym Tiurin <email address hidden>
editor = /usr/bin/emacs
$ bzr commit -m 'test'
Committing to: /tmp/test/test1/
added aaa
Committed revision 1.

This make unsigned commit

Tags: gpg signatures
Revision history for this message
Aaron Bentley (abentley) wrote : Re: [Bug 297610] [NEW] bzr dont check signature policy in branch.conf

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maksym Tiurin wrote:
> Public bug reported:
>
> bzr doesn't process an option 'check_signatures' in
> '.bzr/branch/branch.conf' on a server.
>
> If there is an inscription 'check_signatures = require' on a server, the
> client still can make unsigned commit.

create_signatures=always will cause bzr to sign commits.

Aaron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkcdzAACgkQ0F+nu1YWqI2CzACfROqV1CmLx/2+m7QuMXJLpTAb
LIoAoIHh4F/UvTi+YFplf/fmDAg6N0NT
=k045
-----END PGP SIGNATURE-----

Revision history for this message
Maksym Tiurin (mrkooll-gmail) wrote : Re: bzr dont check signature policy in branch.conf

Option 'create_signatures' dont resolve this trouble

mrkooll ~ > bzr init-repo --no-trees /tmp/test
mrkooll ~ > bzr init-repo test && cd test
mrkooll ~/test > bzr init /tmp/test/test1
mrkooll ~/test > echo "check_signatures = require" > /tmp/test/test1/.bzr/branch/branch.conf
mrkooll ~/test > echo "create_signatures = always" >> /tmp/test/test1/.bzr/branch/branch.conf
mrkooll ~/test > bzr checkout /tmp/test/test1 && cd test1
mrkooll ~/test/test1 > touch aaa
mrkooll ~/test/test1 > bzr add
added aaa
mrkooll ~/test/test1 > bzr commit -m 'test'
Committing to: /tmp/test/test1/
added aaa
Committed revision 1.

Revision history for this message
John A Meinel (jameinel) wrote :

We explicitly do not pay attention to the value in .bzr/branch/branch.conf for signature signing/checking.

The checking side of it is the important one, as it would allow a 3rd party to explicitly request that you *not* check the signatures on their branch, which would be in volation if you had set "check_signatures=always" in your local config.

That said, I'm not entirely sure why "create_signatures" couldn't be trusted, as you can write to that location.

Revision history for this message
Casufi (vladimirkotulskiy) wrote :

Do you plan to confirm this bug ?
I think it is not secure to allow some user to ignore "check_signatures" policy for my own branch.

Changed in bzr:
status: New → Confirmed
Revision history for this message
Alexander Belchenko (bialix) wrote :

John, Aaron.

This bug is result of discussion in ru_bzr discuaaion group @ google. I understand that you don;t read Russian, but in short people worried about trusting in the case of using bzr for centralized development. So if user can't force GPG policy on the central server, then such "server" is not server, it's a leaking abstraction.

This bug forces user who need reliable user identification in centralized workflow to switch from central server with write access for entire team to model with human gatekeeper or maybe PQM-based workflow.

Revision history for this message
Maksym Tiurin (mrkooll-gmail) wrote :

I do not control developers' computers and they may not have "create_signatures=always" installed.

But I insist that every commit needs definite author, so the author in no way could deny his authorship.

To my mind the solution is in signing every commit. Administrative services can not solve this problem.

Revision history for this message
John A Meinel (jameinel) wrote :

Requiring that every commit be signed is not something that you can enforce on *users* machines. As you said, they may not have set "create_signatures=always" on their local host. Heck they may not even have gpg installed.

The only way to *reliably* do it, is to enforce things *server* side. Such as by rejecting a merge/push/commit/etc if any of the revisions being transmitted do not have a gpg signature. Then if a user's merge is rejected, they can use something like "sign-my-commits" to go back and fill in ones that they should have signed.

I'm not sure how you handle "3rd-party" contributions, but it sounds like your development group is closed so that is probably not an issue.

At the moment, it is not possible to do this with stock "bzr", so it would require extra development. Either via something like a PQM or a human gatekeeper, or some lighter-weight plugin.

Also, right now a push via bzr+ssh still has most of the work being done by the client. I believe as Andrew finishes up:
http://bazaar-vcs.org/IdealSmartPush

That will change. Also, I believe there is a requirement for a different project to disallow the Virtual FS writes (so all data comes in as a logical data and gets processed into bytes-on-disk by server-side process). So there is some development focus on implementing that.

Revision history for this message
Jonathan Riddell (jr) wrote :

check_signatures is currently not implemented at all, I've updated the documentation to reflect this. It would be nice to have merge, push etc implement this but it's probably not easy.

summary: - bzr dont check signature policy in branch.conf
+ bzr does not check gpg signature policy
tags: added: gpg
Jelmer Vernooij (jelmer)
tags: added: signatures
Changed in bzr:
importance: Undecided → Medium
Jelmer Vernooij (jelmer)
tags: added: check-for-breezy
Jelmer Vernooij (jelmer)
tags: removed: check-for-breezy
Changed in brz:
status: New → Triaged
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.