post-darcs - Darcs server for darcs push to HTTP repo ===================================================== Author: Pekka Pessi Date: 21-Nov-2007 Requires: darcs, curl, gpg, perl, http server with CGI This software is copyright (C) 2007 Pekka Pessi. This software is copyright (C) 2007 Nokia Corporation. All Rights Reserved. You are free to distribute this software under the terms of the GNU General Public License version 2 or later. See the file GPL for more details. Security Considerations ----------------------- The post-darcs script opens access to execute darcs apply command. It does not check the Darcs input in any ways. Darcs apply verifies the patches with gpg, however, Darcs is fairly complex program and there can be security problems even in checking the patch signature before applying them. Consider restricting people allowed to execute post-darcs with username/password as instruced below. Installation on Server Side --------------------------- At server end: 1) Install your public repo in /var/www/repos (or modify setting of repos below) Public repositories should be writable by cgi-bin user account (like www-data). 2) Protect the post-darcs against public execution with username and password. Here are instructions to follow when working with Apache (on Debian or Ubuntu or similar Linux systems). a) Enable mod_auth_digest with, e.g., $ sudo apache-modconf apache enable mod_auth_digest b) Set up digest password file in, for example, /var/lib/dah: $ sudo mkdir /var/lib/dah $ sudo htdigest -c /var/lib/dah/passwd "Password for post-darcs" user The passwd file should be readable by the cgi-bin user account. The real is "Password for post-darcs" c) Next add following entry within the directive for cgi-bin in your /etc/apache/httpd.conf directory (or set up a separate cgi-bin directory with an extra config file in /etc/apache/conf.d/ or where ever your http server keeps its configuration): AuthType Digest AuthName "Password for post-darcs" AuthDigestFile /var/lib/dah/passwd Require valid-user d) Load your configuration changes with $ apachectl confgitest && sudo apachectl restart 3) Install the post-darcs script in cgi-bin directory, e.g, /usr/lib/cgi-bin/post-darcs so the script gets called with URL, e.g., Check with your browser that a) requires authentication and b) returns dummy text file like : no repository 4) Write URL http://your.server/cgi-bin/post-darcs? in the file /var/www/repos//_darcs/prefs/apply-url darcs_apply_http will fetch URL and use it to launch this script E.g., $ cd /var/www/repos/dah $ echo '/cgi-bin/post-darcs?dah' > _darcs/prefs/apply-url 5) Install keyring with public keys from accepted contributors into /var/lib/dah/keyrings/ For more convenience, you can install your keyring into /var/www/repos//_darcs/prefs/keyring Note that you can also remove $verify from post-darcs script and set up your own patch validation in repo-specific way using _darcs/prefs/defaults. 6) Now you are set up. Client Side ----------- 1) Install darcs-apply-http in your path, set environment variable DARCS_APPLY_HTTP=darcs-apply-http . 2) Generate a GPG key to be used with gpg --gen-key: $ gpg --gen-key gpg (GnuPG) 1.4.6; Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 5 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 2048 Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 1y Key expires at Thu 20 Nov 2008 03:22:43 PM EET Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: Pekka Pessi Email address: ppessi@gmail.com Comment: Darcs signing key You selected this USER-ID: "Pekka Pessi (Darcs signing key) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. Enter passphrase: ........ ... ........ .. ..... ...... Repeat passphrase: ........ ... ........ .. ..... ...... We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++ .........+++++ gpg: key 82650130 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: next trustdb check due at 2008-11-19 pub 2048R/82650130 2007-11-21 [expires: 2008-11-20] Key fingerprint = 8E78 970B 2CD9 57A5 5B8C E198 83A0 206F 8265 0130 uid Pekka Pessi (Darcs signing key) Note that this key cannot be used for encryption. You may want to use the command "--edit-key" to generate a subkey for this purpose. $ The key ID is on line gpg: key ....... marked as ultimately trusted. Export your GPG key (82650130 should be replaced twith the key ID you just generated): $ gpg --export -a 82650130 -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.6 (GNU/Linux) mQENBEdEMVkBCAC8bpfEU+yufTp64KNUWOZRMKhElePIreRiry9Vxuz/BJjRRt0U 5E5m0tFKXi961tMAGZqExeD+h1ocHrnKEeYRuUOD2vXhBF0l8t24S1RRlz2Cd0F6 Ah3PwcBSkom1nJyleUhA4bKU/ApgA4jFIj+KAR8nVAm55Z1n3Rb4TMBzwSkrxim8 tKCrrnENidx4K4CP/qLaTfFgyfSQ7YY5QYpontWJmqFpR7Az3iVIWR1i0+/Ft1L9 Q1gyIwXzYXLUH/KjY7h3b+pngU2hQK/yG7jB2ZiXMnuBxwScBsV+Hz8mr4aOK2Yz ZNPo0j1JOkkAEJXMa/m+L13WyxgaISSdhIbjABEBAAG0MlBla2thIFBlc3NpIChE YXJjcyBzaWduaW5nIGtleSkgPHBwZXNzaUBnbWFpbC5jb20+iQE8BBMBAgAmBQJH RDFZAhsDBQkB4TOABgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQg6Agb4JlATDl bAgAnALEVz44ZijlB0A6fb/yWqtsOg1AkwdUUGypOJAwRNR5XPR5bT5VeK98oTKe 36oms7QWB0ywwp0xbWc2fmx8pgddz+/8G0Gr9be7TN0E8XbpWDsfKt6MbndnhtLN Yd3edWg0xE8C2bspxEaCzYTrYLsvqIe6PYgxJvQEoN0qOMhmrT0hUdVPG4ToSShB 7BPJ98UqnpUmbCkeb/54ddgaXAeL4fzhkzgcPcA6rTf2/+5ur/kQo6r1LHKxnAJR J77PNSXYmT7Cro6JyNiDP0pwqLPKrOQghhOK9C4vKinpqJJo1cbDuszx7AszVPZK +C+/qnUFEDVNaiVfMCGHA4XYfw== =GzEp -----END PGP PUBLIC KEY BLOCK----- 3) Generate a htdigest entry: $ htdigest -c /dev/stdout "Password for post-darcs" user Adding password for ppessi in realm post-darcs. New password: Re-type new password: user:Password for post-darcs:abf90ef387092b7ebf4831768c2bb5f8 4) Send the htdigest entry and GPG key to your darcs server admin. The admin will append the htdigest entry to the /var/lib/dah/passwd and import you public key to _darcs/prefs/keyring on appropriate repos. 5) For your convenience, add following lines to your _darcs/prefs/defaults: --8<----8<----8<----8<----8<----8<----8<----8<-- # used by darcs-apply-http send sign-as 82650130 push sign-as 82650130 -->8---->8---->8---->8---->8---->8---->8---->8-- 82650130 should be replaced twith the key ID you generated above. 6) Add curl options to _darcs/prefs/darcs-apply-http.curl: --8<----8<----8<----8<----8<----8<----8<----8<-- digest user=user:password -->8---->8---->8---->8---->8---->8---->8---->8-- where user:password are the username and password you used with htdigest See Also -------- Other exciting software you might consider is gpg-agent.