-
-
Notifications
You must be signed in to change notification settings - Fork 716
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ban unarmored GPG keys #339
Comments
Neither There's an additional issue in that the hook currently only lints That said, there's probably a way to identify the particular binary (from some reading the format seems to be defined in RFC 4880?) |
TIL
Perhaps performance would be a concern if we started linting binary files as well. The thing should be able to give up and report a negative without reading the entire file.
I might send a message to the |
Yeah the need to avoid a dependence on |
Based on the README I'd be concerned
Also, it looks like files with unrecognized extensions can't be recognized by With all that said, do you think |
The easiest thing (for now) is to probably make a free-standing hook. It may make sense in the future to have |
Alright. I'll draft something to
I tend to think that if possible, we should be able to ban them entirely, password protected or not. I don't have an opinion on what the default behavior should be -- just that if we can it would be nice to let the user toggle it with a switch. |
ban entirely seems fine to me |
Libmagic has python bindings with examples: https://github.com/file/file/tree/master/python We could port code if necessary. Not sure yet how complex that would be. |
libmagic is off the table |
Yeah, you're too fast. I think you missed my ninja edit? |
I saw your edit, I assumed you meant port the bindings which doesn't help because the gpg detection parts are inside the |
Yeah I didn't put that clearly, sorry. It's not that useful that they have examples of how to call libmagic from python. I meant more like porting C code into python. I don't have time to dig deeper right now but I wanted to leave the comment as a reminder for when I look at this again. |
if anything I think we can find the magic bytes in this file and detect those: https://github.com/file/file/blob/master/magic/Magdir/gnu |
From that file:
I don't think we need to reject symmetrically encrypted files, nor keybox files. PGP definitions here: https://github.com/file/file/blob/master/magic/Magdir/pgp This stuff jumped out at me:
I really have no idea about session keys. That's a whole 'nother thing. |
ooh neat! I saw |
Yup. Based on the comments it looks like they implemented GPG-specific stuff if and only if it isn't already identified by the PGP filetype definitions they had already. That's consistent with my testing so far. I don't see any reason why we should consider whether libmagic defines the thing as 'GPG' or 'PGP' -- the idea is to ban secret keys. After some cursory research I'm inclined to think we should ban session keys also. I can't imagine a legitimate reason to ever commit one to a git repo. |
Another self reminder. I need to look at this and evaluate it: https://github.com/cdgriffith/puremagic |
In #329 we added a ban for ASCII-armored GPG private keys. But as far as I can tell we don't have a method for detecting un-armored private keys, since they resemble unstructured binary data.
However, that doesn't mean they can't be identified (evidently):
It looks like the mime-type for PGP keys is defined here: https://tools.ietf.org/html/rfc3156
This leads to a fork in the road for implementation:
We could make a subprocess call to
file
.I don't like this for portability reasons. We don't know that
file
exists and behaves consistently everywhere pre-commit will be deployed.We could use the
magic
library.This works:
But it adds a dependency on a non-standard library:
python-magic
.We could try to emulate the mimetype matching ourselves.
Reinvents a wheel and the consequences of getting it wrong when users trust us to get it right could be bad.
What do you think?
The text was updated successfully, but these errors were encountered: