bzr does not check gpg signature policy

Bug #297610 reported by Maksym Tiurin on 2008-11-13
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bazaar
Medium
Unassigned
Breezy
Low
Unassigned

Bug Description

bzr doesn't process an option 'check_signatures' in '.bzr/branch/branch.conf' on a server.

If there is an inscription 'check_signatures = require' on a server, the client still can make unsigned commit.

To check:
$ bzr init-repo --no-trees /tmp/test
$ bzr init-repo test && cd test
$ bzr init /tmp/test/test1
$ echo "check_signatures = require" > /tmp/test/test1/.bzr/branch/branch.conf
$ bzr checkout /tmp/test/test1 && cd test1
$ touch aaa
$ bzr add
added aaa
$ cat ~/.bazaar/bazaar.conf
[DEFAULT]
email = Maksym Tiurin <email address hidden>
editor = /usr/bin/emacs
$ bzr commit -m 'test'
Committing to: /tmp/test/test1/
added aaa
Committed revision 1.

This make unsigned commit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maksym Tiurin wrote:
> Public bug reported:
>
> bzr doesn't process an option 'check_signatures' in
> '.bzr/branch/branch.conf' on a server.
>
> If there is an inscription 'check_signatures = require' on a server, the
> client still can make unsigned commit.

create_signatures=always will cause bzr to sign commits.

Aaron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkcdzAACgkQ0F+nu1YWqI2CzACfROqV1CmLx/2+m7QuMXJLpTAb
LIoAoIHh4F/UvTi+YFplf/fmDAg6N0NT
=k045
-----END PGP SIGNATURE-----

Option 'create_signatures' dont resolve this trouble

mrkooll ~ > bzr init-repo --no-trees /tmp/test
mrkooll ~ > bzr init-repo test && cd test
mrkooll ~/test > bzr init /tmp/test/test1
mrkooll ~/test > echo "check_signatures = require" > /tmp/test/test1/.bzr/branch/branch.conf
mrkooll ~/test > echo "create_signatures = always" >> /tmp/test/test1/.bzr/branch/branch.conf
mrkooll ~/test > bzr checkout /tmp/test/test1 && cd test1
mrkooll ~/test/test1 > touch aaa
mrkooll ~/test/test1 > bzr add
added aaa
mrkooll ~/test/test1 > bzr commit -m 'test'
Committing to: /tmp/test/test1/
added aaa
Committed revision 1.

John A Meinel (jameinel) wrote :

We explicitly do not pay attention to the value in .bzr/branch/branch.conf for signature signing/checking.

The checking side of it is the important one, as it would allow a 3rd party to explicitly request that you *not* check the signatures on their branch, which would be in volation if you had set "check_signatures=always" in your local config.

That said, I'm not entirely sure why "create_signatures" couldn't be trusted, as you can write to that location.

Casufi (vladimirkotulskiy) wrote :

Do you plan to confirm this bug ?
I think it is not secure to allow some user to ignore "check_signatures" policy for my own branch.

Changed in bzr:
status: New → Confirmed
Alexander Belchenko (bialix) wrote :

John, Aaron.

This bug is result of discussion in ru_bzr discuaaion group @ google. I understand that you don;t read Russian, but in short people worried about trusting in the case of using bzr for centralized development. So if user can't force GPG policy on the central server, then such "server" is not server, it's a leaking abstraction.

This bug forces user who need reliable user identification in centralized workflow to switch from central server with write access for entire team to model with human gatekeeper or maybe PQM-based workflow.

Maksym Tiurin (mrkooll-gmail) wrote :

I do not control developers' computers and they may not have "create_signatures=always" installed.

But I insist that every commit needs definite author, so the author in no way could deny his authorship.

To my mind the solution is in signing every commit. Administrative services can not solve this problem.

John A Meinel (jameinel) wrote :

Requiring that every commit be signed is not something that you can enforce on *users* machines. As you said, they may not have set "create_signatures=always" on their local host. Heck they may not even have gpg installed.

The only way to *reliably* do it, is to enforce things *server* side. Such as by rejecting a merge/push/commit/etc if any of the revisions being transmitted do not have a gpg signature. Then if a user's merge is rejected, they can use something like "sign-my-commits" to go back and fill in ones that they should have signed.

I'm not sure how you handle "3rd-party" contributions, but it sounds like your development group is closed so that is probably not an issue.

At the moment, it is not possible to do this with stock "bzr", so it would require extra development. Either via something like a PQM or a human gatekeeper, or some lighter-weight plugin.

Also, right now a push via bzr+ssh still has most of the work being done by the client. I believe as Andrew finishes up:
http://bazaar-vcs.org/IdealSmartPush

That will change. Also, I believe there is a requirement for a different project to disallow the Virtual FS writes (so all data comes in as a logical data and gets processed into bytes-on-disk by server-side process). So there is some development focus on implementing that.

Jonathan Riddell (jr) wrote :

check_signatures is currently not implemented at all, I've updated the documentation to reflect this. It would be nice to have merge, push etc implement this but it's probably not easy.

summary: - bzr dont check signature policy in branch.conf
+ bzr does not check gpg signature policy
tags: added: gpg
Jelmer Vernooij (jelmer) on 2011-09-01
tags: added: signatures
Changed in bzr:
importance: Undecided → Medium
Jelmer Vernooij (jelmer) on 2017-11-08
tags: added: check-for-breezy
Jelmer Vernooij (jelmer) on 2018-09-23
tags: removed: check-for-breezy
Changed in brz:
status: New → Triaged
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers