this is useful to make sure the same set of TSA are used on different
machines and that they haven't been changed.
E.g. I want to make sure I use the same TSA on my local machine as in CI
and I want to make sure the imported certificates in CI are the same as
in my local machine, so that I can trust them.
running ./.git/hooks/validate.sh -v gives me
Assertion failed: Precondition: hash -v must have length 64.
Backtrace:
[1]: ./.git/hooks/timestamping : extract_token_from_commit line 200
[2]: ./.git/hooks/validate.sh : validate_commit line 97
[3]: ./.git/hooks/validate.sh : validate_commit_and_parents line 300
[4]: ./.git/hooks/validate.sh : main line 329
this commit fixes the issue
to be requested twice for it (once with embedded certificate chain
and once without). If such a TSA url signs tokens using multiple,
alternating certificates, more than two iterations of token requests
might be necessary.
Changed digest that is being stamped from $parent_commit_hash, to
shaX(parent:$parent_commit_hash,tree:$tree_hash)
where shaX is the hash function used by the repository.
This change is so that the timestamp added also timestamps the
LTV data that is being added with the timestamp commit.
This LTV data now also contains CRLs for the LAST timestamp commit.
This ensures that timestamp lifetime of old timestamps gets
arbitrarily extended into the future with every new timestamp
added to the repository.
Further changes:
-Updated documentation
-updated schematics and changed from SVG to PNG
-added assertions, pre- and post-conditions
-added version number to timestamp commits as trailer
-added hashing algorithm used as trailer
-added digest being timestamped as trailer
-added the string that is hashed to get the digest as traile
-improved log messages of validate.sh
