signed push: fortify against replay attacks

[thirdparty/git.git] / Documentation / git-receive-pack.txt

diff --git a/Documentation/git-receive-pack.txt b/Documentation/git-receive-pack.txt
index e6df234926b29739c79205a4be86bb421bddd8a4..2d4b45242cd68724f897624a4fde3ce206db54b0 100644 (file)
--- a/Documentation/git-receive-pack.txt
+++ b/Documentation/git-receive-pack.txt
@@ -72,6 +72,24 @@ the following environment variables:
        using the same mnemonic as used in `%G?` format of `git log`
        family of commands (see linkgit:git-log[1]).
 
+`GIT_PUSH_CERT_NONCE`::
+       The nonce string the process asked the signer to include
+       in the push certificate.  If this does not match the value
+       recorded on the "nonce" header in the push certificate, it
+       may indicate that the certificate is a valid one that is
+       being replayed from a separate "git push" session.
+
+`GIT_PUSH_CERT_NONCE_STATUS`::
+`UNSOLICITED`;;
+       "git push --signed" sent a nonce when we did not ask it to
+       send one.
+`MISSING`;;
+       "git push --signed" did not send any nonce header.
+`BAD`;;
+       "git push --signed" sent a bogus nonce.
+`OK`;;
+       "git push --signed" sent the nonce we asked it to send.
+
 This hook is called before any refname is updated and before any
 fast-forward checks are performed.
 
@@ -147,6 +165,7 @@ service:
        if test -n "${GIT_PUSH_CERT-}" && test ${GIT_PUSH_CERT_STATUS} = G
        then
                (
+                       echo expected nonce is ${GIT_PUSH_NONCE}
                        git cat-file blob ${GIT_PUSH_CERT}
                ) | mail -s "push certificate from $GIT_PUSH_CERT_SIGNER" push-log@mydomain
        fi