JankariTechUG/GitTrustedTimestamps
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

Updated documentation & made file checks more robust.

Browse Source
This commit is contained in:
Matthias Bühlmann
2021-02-22 20:13:03 +01:00
parent 929d0a58b8
commit eda9286fb1
3 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -20,7 +20,7 @@ By using this post-commit hook in a repository and thereby adding secure timesta
5. (optional) By default, a commit will fail if a timestamp token cannot be retrieved. If you want to make timestamping optional for a certain tsa, you can set
`git config --local --type=bool timestamping.tsa0.optional true`.
If `optional` is set to true and a timestamping token cannot be retrieved, you will receive a warning but the commit will be created nevertheless.
7. (optional) You might want to add this README.md and the [docs](docs/) folder or this repository to your repository as well, so that documentation of the timestamps is guaranteed to be available if the timestamps should be evaluated many years in the future.
7. (optional) You might want to add this README.md and the [docs](docs/) folder of this repository to your repository as well, so that documentation of the timestamps is guaranteed to be available if the timestamps should be evaluated many years in the future.
From now on, every `git commit` will automatically tigger an additional commit that securely timestamps it.

8
hooks/post-commit
View File

@@ -117,19 +117,25 @@ retrieve_crl_for_most_recent_parent_timestamps() {
#iterate over extracted token and download CRL data
for (( i=0; i<"$NUM_EXTRACTED"; i++)); do
local TOKEN_FILE="${TOKEN_ARRAY[$i]}"
local TSA_URL="${URL_ARRAY[$i]}"
local DIGEST
get_token_digest "$TOKEN_FILE" DIGEST
local SIGNING_CERT_ID
get_tsa_cert_id "$TOKEN_FILE" SIGNING_CERT_ID
#get certificate chain of this token from LTV data
local CERT_CHAIN_FILE="$LTV_DIR"/certs/"$SIGNING_CERT_ID".cer
if [ ! -f "$CERT_CHAIN_FILE" ]; then
if [ ! -s "$CERT_CHAIN_FILE" ]; then
#If LTV data is not in the working directory, check it out from the corresponding commit
local TMP_CERT_CHAIN_FILE="$TMP_DIR"/"$SIGNING_CERT_ID".cer
local PATH_SPEC=$(realpath --relative-to="$ROOT_DIR" "$CERT_CHAIN_FILE")
local CERT_CHAIN_CONTENT=$(git show "$COMMIT_HASH":"$PATH_SPEC") && printf "%s" "$CERT_CHAIN_CONTENT" > "$TMP_CERT_CHAIN_FILE"
CERT_CHAIN_FILE="$TMP_CERT_CHAIN_FILE"
fi
if [ ! -s "$CERT_CHAIN_FILE" ]; then
CERT_CHAIN_FILE="$TMP_LTV_DIR"/certs/"$SIGNING_CERT_ID".cer
build_certificate_chain_for_token "$TOKEN_FILE" "$DIGEST" "$TSA_URL" "$CERT_CHAIN_FILE"
fi
assert "[ -s $CERT_CHAIN_FILE ]" "Certificate chain could neither be extracted from LTV data nor reconstructed."
#download CRL file
local CRL_CHAIN_FILE="$TMP_LTV_DIR"/crls/"$SIGNING_CERT_ID".crl
if ! download_crls_for_chain "$CERT_CHAIN_FILE" "$CRL_CHAIN_FILE"; then

7
hooks/timestamping
View File

@@ -537,6 +537,9 @@ download_crls_for_chain() {
| awk '/-----BEGIN CERTIFICATE-----/ { i++; } /-----BEGIN CERTIFICATE-----/, /-----END CERTIFICATE-----/ \
{ print > tmpdir i ".extracted.pem.cer" }' tmpdir="$TMP_DIR/"
local NUM_EXTRACTED=$(find "$TMP_DIR" -maxdepth 1 -name "*.extracted.pem.cer" -printf '.' | wc -m)
assert "[ $NUM_EXTRACTED -gt 0 ]" "Precondition: Certificate file $CERT_FILE must contain at least one certificate in PEM format."
#iterate over certificates. Ignore self-signed certificates
ls "$TMP_DIR"/*.extracted.pem.cer | while read EXTRACTED_CERT; do
if ! openssl verify -CAfile "$EXTRACTED_CERT" "$EXTRACTED_CERT" &> "$OUT_STREAM"; then
@@ -579,7 +582,7 @@ verify_token_and_add_ltv_data() {
local SIGNING_CERT_ID
get_tsa_cert_id "$TOKEN_FILE" SIGNING_CERT_ID
local CERT_CHAIN_FILE="$LTV_DIR"/certs/"$SIGNING_CERT_ID".cer
if [ ! -f "$CERT_CHAIN_FILE" ]; then
if [ ! -s "$CERT_CHAIN_FILE" ]; then
CERT_CHAIN_FILE="$TMP_LTV_DIR"/certs/"$SIGNING_CERT_ID".cer
#try to build full chain.
if ! build_certificate_chain_for_token "$TOKEN_FILE" "$DIGEST" "$TSA_URL" "$CERT_CHAIN_FILE"; then
@@ -594,7 +597,7 @@ verify_token_and_add_ltv_data() {
#verify token and download CRL data
local CRL_CHAIN_FILE="$TMP_LTV_DIR"/crls/"$SIGNING_CERT_ID.crl"
#only download CRL data if it hasn't been already in a previous step
if [ ! -f "$CRL_CHAIN_FILE" ]; then
if [ ! -s "$CRL_CHAIN_FILE" ]; then
if ! download_crls_for_chain "$CERT_CHAIN_FILE" "$CRL_CHAIN_FILE"; then
echo "Could not download CRL data for $TOKEN_FILE"
return 1