Re: [task #4633] GPG-Signed Commits

[Derek Price]

Jim Hyslop wrote:

> Either way, if the server is compromised, the local file ends up
> containing the exploit.


Yes, but if I ignore keyword expansion entirely (other than giving a
warning or error when keywords are present in the file at commit time),
then you won't have a CVS executable that tells you you have a valid,
signed, base revision just before it installs compromised code in your
sandbox.

If you do have keywords in your file, checking out -ko would still allow
revisions to be verified in this way.

> However, there is a difference: if CVS/Base contains the expanded
> keywords, then there is absolutely no way for me to validate the
> signature on my local copy of the file. If, on the other hand,
> CVS/Base contains the exact file as checked in by the user, I can
> validate the signature, and examine the keyword patch file to look for
> any irregularities. It's not a perfect solution, since I have to
> examine the keyword file manually, but it gets part way there.


You could do the same by parsing the output of `cvs status' or `cvs log'
and performing the substitutions with a sed script, perhaps as part of
your software build.  Perhaps this would be a good script for contrib if
no one implements secure keyword substitution after I am done with the
GPG-signed commits code.

Regards,

Derek

-- 
Derek R. Price
CVS Solutions Architect
Ximbiot <http://ximbiot.com>
v: +1 717.579.6168
f: +1 717.234.3125
<mailto:derek@ximbiot.com>