2005-07-14 15:10:05 +08:00
|
|
|
git-receive-pack(1)
|
|
|
|
===================
|
|
|
|
|
|
|
|
NAME
|
|
|
|
----
|
2007-01-19 07:53:37 +08:00
|
|
|
git-receive-pack - Receive what is pushed into the repository
|
2005-07-14 15:10:05 +08:00
|
|
|
|
|
|
|
|
|
|
|
SYNOPSIS
|
|
|
|
--------
|
2011-07-02 10:38:26 +08:00
|
|
|
[verse]
|
2011-09-07 02:06:32 +08:00
|
|
|
'git-receive-pack' <directory>
|
2005-07-14 15:10:05 +08:00
|
|
|
|
|
|
|
DESCRIPTION
|
|
|
|
-----------
|
2010-01-10 07:33:00 +08:00
|
|
|
Invoked by 'git send-pack' and updates the repository with the
|
2005-07-14 15:10:05 +08:00
|
|
|
information fed from the remote end.
|
|
|
|
|
|
|
|
This command is usually not invoked directly by the end user.
|
2010-01-10 07:33:00 +08:00
|
|
|
The UI for the protocol is on the 'git send-pack' side, and the
|
2005-07-14 15:10:05 +08:00
|
|
|
program pair is meant to be used to push updates to remote
|
2008-07-01 02:56:34 +08:00
|
|
|
repository. For pull operations, see linkgit:git-fetch-pack[1].
|
2005-07-14 15:10:05 +08:00
|
|
|
|
2009-10-24 16:31:32 +08:00
|
|
|
The command allows for creation and fast-forwarding of sha1 refs
|
2005-08-01 03:17:43 +08:00
|
|
|
(heads/tags) on the remote end (strictly speaking, it is the
|
2008-07-03 13:41:41 +08:00
|
|
|
local end 'git-receive-pack' runs, but to the user who is sitting at
|
2005-08-01 03:17:43 +08:00
|
|
|
the send-pack end, it is updating the remote. Confused?)
|
|
|
|
|
2007-03-08 05:52:05 +08:00
|
|
|
There are other real-world examples of using update and
|
|
|
|
post-update hooks found in the Documentation/howto directory.
|
2005-08-01 03:17:43 +08:00
|
|
|
|
2008-07-03 13:41:41 +08:00
|
|
|
'git-receive-pack' honours the receive.denyNonFastForwards config
|
2007-03-08 05:52:05 +08:00
|
|
|
option, which tells it if updates to a ref should be denied if they
|
|
|
|
are not fast-forwards.
|
|
|
|
|
|
|
|
OPTIONS
|
|
|
|
-------
|
|
|
|
<directory>::
|
|
|
|
The repository to sync into.
|
|
|
|
|
|
|
|
pre-receive Hook
|
|
|
|
----------------
|
|
|
|
Before any ref is updated, if $GIT_DIR/hooks/pre-receive file exists
|
2007-03-10 16:28:16 +08:00
|
|
|
and is executable, it will be invoked once with no parameters. The
|
|
|
|
standard input of the hook will be one line per ref to be updated:
|
2007-03-08 05:52:05 +08:00
|
|
|
|
2007-03-10 16:28:16 +08:00
|
|
|
sha1-old SP sha1-new SP refname LF
|
2007-03-08 05:52:05 +08:00
|
|
|
|
2007-03-10 16:28:16 +08:00
|
|
|
The refname value is relative to $GIT_DIR; e.g. for the master
|
|
|
|
head this is "refs/heads/master". The two sha1 values before
|
2007-03-08 05:52:05 +08:00
|
|
|
each refname are the object names for the refname before and after
|
2007-07-02 13:24:59 +08:00
|
|
|
the update. Refs to be created will have sha1-old equal to 0\{40},
|
|
|
|
while refs to be deleted will have sha1-new equal to 0\{40}, otherwise
|
2007-03-08 05:52:05 +08:00
|
|
|
sha1-old and sha1-new should be valid objects in the repository.
|
|
|
|
|
push: the beginning of "git push --signed"
While signed tags and commits assert that the objects thusly signed
came from you, who signed these objects, there is not a good way to
assert that you wanted to have a particular object at the tip of a
particular branch. My signing v2.0.1 tag only means I want to call
the version v2.0.1, and it does not mean I want to push it out to my
'master' branch---it is likely that I only want it in 'maint', so
the signature on the object alone is insufficient.
The only assurance to you that 'maint' points at what I wanted to
place there comes from your trust on the hosting site and my
authentication with it, which cannot easily audited later.
Introduce a mechanism that allows you to sign a "push certificate"
(for the lack of better name) every time you push, asserting that
what object you are pushing to update which ref that used to point
at what other object. Think of it as a cryptographic protection for
ref updates, similar to signed tags/commits but working on an
orthogonal axis.
The basic flow based on this mechanism goes like this:
1. You push out your work with "git push --signed".
2. The sending side learns where the remote refs are as usual,
together with what protocol extension the receiving end
supports. If the receiving end does not advertise the protocol
extension "push-cert", an attempt to "git push --signed" fails.
Otherwise, a text file, that looks like the following, is
prepared in core:
certificate version 0.1
pusher Junio C Hamano <gitster@pobox.com> 1315427886 -0700
7339ca65... 21580ecb... refs/heads/master
3793ac56... 12850bec... refs/heads/next
The file begins with a few header lines, which may grow as we
gain more experience. The 'pusher' header records the name of
the signer (the value of user.signingkey configuration variable,
falling back to GIT_COMMITTER_{NAME|EMAIL}) and the time of the
certificate generation. After the header, a blank line follows,
followed by a copy of the protocol message lines.
Each line shows the old and the new object name at the tip of
the ref this push tries to update, in the way identical to how
the underlying "git push" protocol exchange tells the ref
updates to the receiving end (by recording the "old" object
name, the push certificate also protects against replaying). It
is expected that new command packet types other than the
old-new-refname kind will be included in push certificate in the
same way as would appear in the plain vanilla command packets in
unsigned pushes.
The user then is asked to sign this push certificate using GPG,
formatted in a way similar to how signed tag objects are signed,
and the result is sent to the other side (i.e. receive-pack).
In the protocol exchange, this step comes immediately before the
sender tells what the result of the push should be, which in
turn comes before it sends the pack data.
3. When the receiving end sees a push certificate, the certificate
is written out as a blob. The pre-receive hook can learn about
the certificate by checking GIT_PUSH_CERT environment variable,
which, if present, tells the object name of this blob, and make
the decision to allow or reject this push. Additionally, the
post-receive hook can also look at the certificate, which may be
a good place to log all the received certificates for later
audits.
Because a push certificate carry the same information as the usual
command packets in the protocol exchange, we can omit the latter
when a push certificate is in use and reduce the protocol overhead.
This however is not included in this patch to make it easier to
review (in other words, the series at this step should never be
released without the remainder of the series, as it implements an
interim protocol that will be incompatible with the final one).
As such, the documentation update for the protocol is left out of
this step.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-13 02:17:07 +08:00
|
|
|
When accepting a signed push (see linkgit:git-push[1]), the signed
|
|
|
|
push certificate is stored in a blob and an environment variable
|
|
|
|
`GIT_PUSH_CERT` can be consulted for its object name. See the
|
|
|
|
description of `post-receive` hook for an example.
|
|
|
|
|
2007-03-08 05:52:05 +08:00
|
|
|
This hook is called before any refname is updated and before any
|
|
|
|
fast-forward checks are performed.
|
|
|
|
|
|
|
|
If the pre-receive hook exits with a non-zero exit status no updates
|
|
|
|
will be performed, and the update, post-receive and post-update
|
|
|
|
hooks will not be invoked either. This can be useful to quickly
|
|
|
|
bail out if the update is not to be supported.
|
2005-08-01 03:17:43 +08:00
|
|
|
|
2007-03-08 05:52:05 +08:00
|
|
|
update Hook
|
|
|
|
-----------
|
|
|
|
Before each ref is updated, if $GIT_DIR/hooks/update file exists
|
|
|
|
and is executable, it is invoked once per ref, with three parameters:
|
2005-08-01 03:17:43 +08:00
|
|
|
|
2007-03-08 05:52:05 +08:00
|
|
|
$GIT_DIR/hooks/update refname sha1-old sha1-new
|
2005-08-01 03:17:43 +08:00
|
|
|
|
2007-03-08 05:52:05 +08:00
|
|
|
The refname parameter is relative to $GIT_DIR; e.g. for the master
|
|
|
|
head this is "refs/heads/master". The two sha1 arguments are
|
|
|
|
the object names for the refname before and after the update.
|
|
|
|
Note that the hook is called before the refname is updated,
|
2007-07-02 13:24:59 +08:00
|
|
|
so either sha1-old is 0\{40} (meaning there is no such ref yet),
|
2007-03-08 05:52:05 +08:00
|
|
|
or it should match what is recorded in refname.
|
|
|
|
|
|
|
|
The hook should exit with non-zero status if it wants to disallow
|
|
|
|
updating the named ref. Otherwise it should exit with zero.
|
|
|
|
|
|
|
|
Successful execution (a zero exit status) of this hook does not
|
2007-08-24 08:44:13 +08:00
|
|
|
ensure the ref will actually be updated, it is only a prerequisite.
|
2007-03-08 05:52:05 +08:00
|
|
|
As such it is not a good idea to send notices (e.g. email) from
|
|
|
|
this hook. Consider using the post-receive hook instead.
|
|
|
|
|
|
|
|
post-receive Hook
|
|
|
|
-----------------
|
|
|
|
After all refs were updated (or attempted to be updated), if any
|
|
|
|
ref update was successful, and if $GIT_DIR/hooks/post-receive
|
2008-12-19 20:14:18 +08:00
|
|
|
file exists and is executable, it will be invoked once with no
|
2007-03-10 16:28:16 +08:00
|
|
|
parameters. The standard input of the hook will be one line
|
|
|
|
for each successfully updated ref:
|
2007-03-08 05:52:05 +08:00
|
|
|
|
2007-03-10 16:28:16 +08:00
|
|
|
sha1-old SP sha1-new SP refname LF
|
2007-03-08 05:52:05 +08:00
|
|
|
|
2007-03-10 16:28:16 +08:00
|
|
|
The refname value is relative to $GIT_DIR; e.g. for the master
|
|
|
|
head this is "refs/heads/master". The two sha1 values before
|
2007-03-08 05:52:05 +08:00
|
|
|
each refname are the object names for the refname before and after
|
|
|
|
the update. Refs that were created will have sha1-old equal to
|
2007-07-02 13:24:59 +08:00
|
|
|
0\{40}, while refs that were deleted will have sha1-new equal to
|
|
|
|
0\{40}, otherwise sha1-old and sha1-new should be valid objects in
|
2007-03-08 05:52:05 +08:00
|
|
|
the repository.
|
|
|
|
|
push: the beginning of "git push --signed"
While signed tags and commits assert that the objects thusly signed
came from you, who signed these objects, there is not a good way to
assert that you wanted to have a particular object at the tip of a
particular branch. My signing v2.0.1 tag only means I want to call
the version v2.0.1, and it does not mean I want to push it out to my
'master' branch---it is likely that I only want it in 'maint', so
the signature on the object alone is insufficient.
The only assurance to you that 'maint' points at what I wanted to
place there comes from your trust on the hosting site and my
authentication with it, which cannot easily audited later.
Introduce a mechanism that allows you to sign a "push certificate"
(for the lack of better name) every time you push, asserting that
what object you are pushing to update which ref that used to point
at what other object. Think of it as a cryptographic protection for
ref updates, similar to signed tags/commits but working on an
orthogonal axis.
The basic flow based on this mechanism goes like this:
1. You push out your work with "git push --signed".
2. The sending side learns where the remote refs are as usual,
together with what protocol extension the receiving end
supports. If the receiving end does not advertise the protocol
extension "push-cert", an attempt to "git push --signed" fails.
Otherwise, a text file, that looks like the following, is
prepared in core:
certificate version 0.1
pusher Junio C Hamano <gitster@pobox.com> 1315427886 -0700
7339ca65... 21580ecb... refs/heads/master
3793ac56... 12850bec... refs/heads/next
The file begins with a few header lines, which may grow as we
gain more experience. The 'pusher' header records the name of
the signer (the value of user.signingkey configuration variable,
falling back to GIT_COMMITTER_{NAME|EMAIL}) and the time of the
certificate generation. After the header, a blank line follows,
followed by a copy of the protocol message lines.
Each line shows the old and the new object name at the tip of
the ref this push tries to update, in the way identical to how
the underlying "git push" protocol exchange tells the ref
updates to the receiving end (by recording the "old" object
name, the push certificate also protects against replaying). It
is expected that new command packet types other than the
old-new-refname kind will be included in push certificate in the
same way as would appear in the plain vanilla command packets in
unsigned pushes.
The user then is asked to sign this push certificate using GPG,
formatted in a way similar to how signed tag objects are signed,
and the result is sent to the other side (i.e. receive-pack).
In the protocol exchange, this step comes immediately before the
sender tells what the result of the push should be, which in
turn comes before it sends the pack data.
3. When the receiving end sees a push certificate, the certificate
is written out as a blob. The pre-receive hook can learn about
the certificate by checking GIT_PUSH_CERT environment variable,
which, if present, tells the object name of this blob, and make
the decision to allow or reject this push. Additionally, the
post-receive hook can also look at the certificate, which may be
a good place to log all the received certificates for later
audits.
Because a push certificate carry the same information as the usual
command packets in the protocol exchange, we can omit the latter
when a push certificate is in use and reduce the protocol overhead.
This however is not included in this patch to make it easier to
review (in other words, the series at this step should never be
released without the remainder of the series, as it implements an
interim protocol that will be incompatible with the final one).
As such, the documentation update for the protocol is left out of
this step.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-13 02:17:07 +08:00
|
|
|
The `GIT_PUSH_CERT` environment variable can be inspected, just as
|
|
|
|
in `pre-receive` hook, after accepting a signed push.
|
|
|
|
|
2007-03-08 05:52:05 +08:00
|
|
|
Using this hook, it is easy to generate mails describing the updates
|
|
|
|
to the repository. This example script sends one mail message per
|
push: the beginning of "git push --signed"
While signed tags and commits assert that the objects thusly signed
came from you, who signed these objects, there is not a good way to
assert that you wanted to have a particular object at the tip of a
particular branch. My signing v2.0.1 tag only means I want to call
the version v2.0.1, and it does not mean I want to push it out to my
'master' branch---it is likely that I only want it in 'maint', so
the signature on the object alone is insufficient.
The only assurance to you that 'maint' points at what I wanted to
place there comes from your trust on the hosting site and my
authentication with it, which cannot easily audited later.
Introduce a mechanism that allows you to sign a "push certificate"
(for the lack of better name) every time you push, asserting that
what object you are pushing to update which ref that used to point
at what other object. Think of it as a cryptographic protection for
ref updates, similar to signed tags/commits but working on an
orthogonal axis.
The basic flow based on this mechanism goes like this:
1. You push out your work with "git push --signed".
2. The sending side learns where the remote refs are as usual,
together with what protocol extension the receiving end
supports. If the receiving end does not advertise the protocol
extension "push-cert", an attempt to "git push --signed" fails.
Otherwise, a text file, that looks like the following, is
prepared in core:
certificate version 0.1
pusher Junio C Hamano <gitster@pobox.com> 1315427886 -0700
7339ca65... 21580ecb... refs/heads/master
3793ac56... 12850bec... refs/heads/next
The file begins with a few header lines, which may grow as we
gain more experience. The 'pusher' header records the name of
the signer (the value of user.signingkey configuration variable,
falling back to GIT_COMMITTER_{NAME|EMAIL}) and the time of the
certificate generation. After the header, a blank line follows,
followed by a copy of the protocol message lines.
Each line shows the old and the new object name at the tip of
the ref this push tries to update, in the way identical to how
the underlying "git push" protocol exchange tells the ref
updates to the receiving end (by recording the "old" object
name, the push certificate also protects against replaying). It
is expected that new command packet types other than the
old-new-refname kind will be included in push certificate in the
same way as would appear in the plain vanilla command packets in
unsigned pushes.
The user then is asked to sign this push certificate using GPG,
formatted in a way similar to how signed tag objects are signed,
and the result is sent to the other side (i.e. receive-pack).
In the protocol exchange, this step comes immediately before the
sender tells what the result of the push should be, which in
turn comes before it sends the pack data.
3. When the receiving end sees a push certificate, the certificate
is written out as a blob. The pre-receive hook can learn about
the certificate by checking GIT_PUSH_CERT environment variable,
which, if present, tells the object name of this blob, and make
the decision to allow or reject this push. Additionally, the
post-receive hook can also look at the certificate, which may be
a good place to log all the received certificates for later
audits.
Because a push certificate carry the same information as the usual
command packets in the protocol exchange, we can omit the latter
when a push certificate is in use and reduce the protocol overhead.
This however is not included in this patch to make it easier to
review (in other words, the series at this step should never be
released without the remainder of the series, as it implements an
interim protocol that will be incompatible with the final one).
As such, the documentation update for the protocol is left out of
this step.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-13 02:17:07 +08:00
|
|
|
ref listing the commits pushed to the repository, and logs the push
|
|
|
|
certificates of signed pushes to a logger
|
|
|
|
service:
|
2005-08-01 03:17:43 +08:00
|
|
|
|
|
|
|
#!/bin/sh
|
2005-08-03 05:24:22 +08:00
|
|
|
# mail out commit update information.
|
2007-03-10 16:28:16 +08:00
|
|
|
while read oval nval ref
|
2007-03-08 05:52:05 +08:00
|
|
|
do
|
2007-03-10 16:28:16 +08:00
|
|
|
if expr "$oval" : '0*$' >/dev/null
|
2007-03-08 05:52:05 +08:00
|
|
|
then
|
|
|
|
echo "Created a new ref, with the following commits:"
|
2008-06-30 14:09:04 +08:00
|
|
|
git rev-list --pretty "$nval"
|
2007-03-08 05:52:05 +08:00
|
|
|
else
|
|
|
|
echo "New commits:"
|
2008-06-30 14:09:04 +08:00
|
|
|
git rev-list --pretty "$nval" "^$oval"
|
2007-03-08 05:52:05 +08:00
|
|
|
fi |
|
2007-03-10 16:28:16 +08:00
|
|
|
mail -s "Changes to ref $ref" commit-list@mydomain
|
2007-03-08 05:52:05 +08:00
|
|
|
done
|
push: the beginning of "git push --signed"
While signed tags and commits assert that the objects thusly signed
came from you, who signed these objects, there is not a good way to
assert that you wanted to have a particular object at the tip of a
particular branch. My signing v2.0.1 tag only means I want to call
the version v2.0.1, and it does not mean I want to push it out to my
'master' branch---it is likely that I only want it in 'maint', so
the signature on the object alone is insufficient.
The only assurance to you that 'maint' points at what I wanted to
place there comes from your trust on the hosting site and my
authentication with it, which cannot easily audited later.
Introduce a mechanism that allows you to sign a "push certificate"
(for the lack of better name) every time you push, asserting that
what object you are pushing to update which ref that used to point
at what other object. Think of it as a cryptographic protection for
ref updates, similar to signed tags/commits but working on an
orthogonal axis.
The basic flow based on this mechanism goes like this:
1. You push out your work with "git push --signed".
2. The sending side learns where the remote refs are as usual,
together with what protocol extension the receiving end
supports. If the receiving end does not advertise the protocol
extension "push-cert", an attempt to "git push --signed" fails.
Otherwise, a text file, that looks like the following, is
prepared in core:
certificate version 0.1
pusher Junio C Hamano <gitster@pobox.com> 1315427886 -0700
7339ca65... 21580ecb... refs/heads/master
3793ac56... 12850bec... refs/heads/next
The file begins with a few header lines, which may grow as we
gain more experience. The 'pusher' header records the name of
the signer (the value of user.signingkey configuration variable,
falling back to GIT_COMMITTER_{NAME|EMAIL}) and the time of the
certificate generation. After the header, a blank line follows,
followed by a copy of the protocol message lines.
Each line shows the old and the new object name at the tip of
the ref this push tries to update, in the way identical to how
the underlying "git push" protocol exchange tells the ref
updates to the receiving end (by recording the "old" object
name, the push certificate also protects against replaying). It
is expected that new command packet types other than the
old-new-refname kind will be included in push certificate in the
same way as would appear in the plain vanilla command packets in
unsigned pushes.
The user then is asked to sign this push certificate using GPG,
formatted in a way similar to how signed tag objects are signed,
and the result is sent to the other side (i.e. receive-pack).
In the protocol exchange, this step comes immediately before the
sender tells what the result of the push should be, which in
turn comes before it sends the pack data.
3. When the receiving end sees a push certificate, the certificate
is written out as a blob. The pre-receive hook can learn about
the certificate by checking GIT_PUSH_CERT environment variable,
which, if present, tells the object name of this blob, and make
the decision to allow or reject this push. Additionally, the
post-receive hook can also look at the certificate, which may be
a good place to log all the received certificates for later
audits.
Because a push certificate carry the same information as the usual
command packets in the protocol exchange, we can omit the latter
when a push certificate is in use and reduce the protocol overhead.
This however is not included in this patch to make it easier to
review (in other words, the series at this step should never be
released without the remainder of the series, as it implements an
interim protocol that will be incompatible with the final one).
As such, the documentation update for the protocol is left out of
this step.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-13 02:17:07 +08:00
|
|
|
# log signed push certificate, if any
|
|
|
|
if test -n "${GIT_PUSH_CERT-}"
|
|
|
|
then
|
|
|
|
(
|
|
|
|
git cat-file blob ${GIT_PUSH_CERT}
|
|
|
|
) | mail -s "push certificate" push-log@mydomain
|
|
|
|
fi
|
2005-08-01 03:17:43 +08:00
|
|
|
exit 0
|
2005-07-14 15:10:05 +08:00
|
|
|
|
2007-03-08 05:52:05 +08:00
|
|
|
The exit code from this hook invocation is ignored, however a
|
|
|
|
non-zero exit code will generate an error message.
|
2005-08-03 05:24:22 +08:00
|
|
|
|
2007-03-08 05:52:05 +08:00
|
|
|
Note that it is possible for refname to not have sha1-new when this
|
|
|
|
hook runs. This can easily occur if another user modifies the ref
|
2008-07-03 13:41:41 +08:00
|
|
|
after it was updated by 'git-receive-pack', but before the hook was able
|
2007-03-08 05:52:05 +08:00
|
|
|
to evaluate it. It is recommended that hooks rely on sha1-new
|
|
|
|
rather than the current value of refname.
|
2005-08-03 05:24:22 +08:00
|
|
|
|
2007-03-08 05:52:05 +08:00
|
|
|
post-update Hook
|
|
|
|
----------------
|
|
|
|
After all other processing, if at least one ref was updated, and
|
|
|
|
if $GIT_DIR/hooks/post-update file exists and is executable, then
|
2008-12-19 20:14:18 +08:00
|
|
|
post-update will be called with the list of refs that have been updated.
|
2007-03-08 05:52:05 +08:00
|
|
|
This can be used to implement any repository wide cleanup tasks.
|
2005-12-05 16:32:01 +08:00
|
|
|
|
2007-03-08 05:52:05 +08:00
|
|
|
The exit code from this hook invocation is ignored; the only thing
|
2008-07-03 13:41:41 +08:00
|
|
|
left for 'git-receive-pack' to do at that point is to exit itself
|
2007-03-08 05:52:05 +08:00
|
|
|
anyway.
|
2005-12-05 16:32:01 +08:00
|
|
|
|
2008-07-01 02:56:34 +08:00
|
|
|
This hook can be used, for example, to run `git update-server-info`
|
2007-03-08 05:52:05 +08:00
|
|
|
if the repository is packed and is served via a dumb transport.
|
|
|
|
|
|
|
|
#!/bin/sh
|
2008-06-30 14:09:04 +08:00
|
|
|
exec git update-server-info
|
2005-07-14 15:10:05 +08:00
|
|
|
|
2005-09-03 12:19:26 +08:00
|
|
|
|
|
|
|
SEE ALSO
|
|
|
|
--------
|
2011-07-09 07:14:10 +08:00
|
|
|
linkgit:git-send-pack[1], linkgit:gitnamespaces[7]
|
2005-09-03 12:19:26 +08:00
|
|
|
|
2005-07-14 15:10:05 +08:00
|
|
|
GIT
|
|
|
|
---
|
2008-06-06 15:07:32 +08:00
|
|
|
Part of the linkgit:git[1] suite
|