| commit | 3774fcc848da7526ffa74211cbb2781df5731125 | [log] [tgz] |
|---|---|---|
| author | Thomas Wolf <thomas.wolf@paranor.ch> | Thu Jan 07 17:11:57 2021 +0100 |
| committer | Matthias Sohn <matthias.sohn@sap.com> | Tue Feb 16 00:37:00 2021 +0100 |
| tree | 71aee433ac3a5b1c8efa2de628de7dd4560c4a5d | |
| parent | 15a38e5b4f79792c8ce85c8eddd567c32350de74 [diff] |
GPG signature verification via BouncyCastle Add a GpgSignatureVerifier interface, plus a factory to create instances thereof that is provided via the ServiceLoader mechanism. Implement the new interface for BouncyCastle. A verifier maintains an internal LRU cache of previously found public keys to speed up verifying multiple objects (tag or commits). Mergetags are not handled. Provide a new VerifySignatureCommand in org.eclipse.jgit.api together with a factory method Git.verifySignature(). The command can verify signatures on tags or commits, and can be limited to accept only tags or commits. Provide a new public WrongObjectTypeException thrown when the command is limited to either tags or commits and a name resolves to some other object kind. In jgit.pgm, implement "git tag -v", "git log --show-signature", and "git show --show-signature". The output is similar to command-line gpg invoked via git, but not identical. In particular, lines are not prefixed by "gpg:" but by "bc:". Trust levels for public keys are read from the keys' trust packets, not from GPG's internal trust database. A trust packet may or may not be set. Command-line GPG produces more warning lines depending on the trust level, warning about keys with a trust level below "full". There are no unit tests because JGit still doesn't have any setup to do signing unit tests; this would require at least a faked .gpg directory with pre-created key rings and keys, and a way to make the BouncyCastle classes use that directory instead of the default. See bug 547538 and also bug 544847. Tested manually with a small test repository containing signed and unsigned commits and tags, with signatures made with different keys and made by command-line git using GPG 2.2.25 and by JGit using BouncyCastle 1.65. Bug: 547751 Change-Id: If7e34aeed6ca6636a92bf774d893d98f6d459181 Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
An implementation of the Git version control system in pure Java.
This project is licensed under the EDL (Eclipse Distribution License).
JGit can be imported straight into Eclipse and built and tested from there. It can be built from the command line using Maven or Bazel. The CI builds use Maven and run on Jenkins.
org.eclipse.jgit
A pure Java library capable of being run standalone, with no additional support libraries. It provides classes to read and write a Git repository and operate on a working directory.
All portions of JGit are covered by the EDL. Absolutely no GPL, LGPL or EPL contributions are accepted within this package.
org.eclipse.jgit.ant
Ant tasks based on JGit.
org.eclipse.jgit.archive
Support for exporting to various archive formats (zip etc).
org.eclipse.jgit.http.apache
Apache httpclient support.
org.eclipse.jgit.http.server
Server for the smart and dumb Git HTTP protocol.
org.eclipse.jgit.lfs
Support for LFS (Large File Storage).
org.eclipse.jgit.lfs.server
Basic LFS server support.
org.eclipse.jgit.packaging
Production of Eclipse features and p2 repository for JGit. See the JGit Wiki on why and how to use this module.
org.eclipse.jgit.pgm
Command-line interface Git commands implemented using JGit (“pgm” stands for program).
org.eclipse.jgit.ssh.apache
Client support for the ssh protocol based on Apache Mina sshd.
org.eclipse.jgit.ui
Simple UI for displaying git log.
Native symbolic links are supported, provided the file system supports them. For Windows you must use a non-administrator account and have the SeCreateSymbolicLinkPrivilege.
Only the timestamp of the index is used by JGit if the index is dirty.
JGit requires at least a Java 8 JDK.
CRLF conversion is performed depending on the core.autocrlf setting, however Git for Windows by default stores that setting during installation in the “system wide” configuration file. If Git is not installed, use the global or repository configuration for the core.autocrlf setting.
The system wide configuration file is located relative to where C Git is installed. Make sure Git can be found via the PATH environment variable. When installing Git for Windows check the “Run Git from the Windows Command Prompt” option. There are other options like Eclipse settings that can be used for pointing out where C Git is installed. Modifying PATH is the recommended option if C Git is installed.
We try to use the same notation of $HOME as C Git does. On Windows this is often not the same value as the user.home system property.
org.eclipse.jgit
Read loose and packed commits, trees, blobs, including deltafied objects.
Read objects from shared repositories
Write loose commits, trees, blobs.
Write blobs from local files or Java InputStreams.
Read blobs as Java InputStreams.
Copy trees to local directory, or local directory to a tree.
Lazily loads objects as necessary.
Read and write .git/config files.
Create a new repository.
Read and write refs, including walking through symrefs.
Read, update and write the Git index.
Checkout in dirty working directory if trivial.
Walk the history from a given set of commits looking for commits introducing changes in files under a specified path.
Object transport
Fetch via ssh, git, http, Amazon S3 and bundles. Push via ssh, git and Amazon S3. JGit does not yet deltify the pushed packs so they may be a lot larger than C Git packs.
Garbage collection
Merge
Rebase
And much more
org.eclipse.jgit.pgm
org.eclipse.jgit.ant
org.eclipse.jgit.archive
org.eclipse.http
There are some missing features:
Post questions, comments or discussions to the jgit-dev@eclipse.org mailing list. You need to be subscribed to post. File bugs and enhancement requests in Bugzilla.
See the EGit Contributor Guide.
More information about Git, its repository format, and the canonical C based implementation can be obtained from the Git website.