Skip to content

Commit

Permalink
Added list of servers and certificates and reworked parts of README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
Ocead committed Nov 29, 2021
1 parent 493b026 commit b78b0fb
Show file tree
Hide file tree
Showing 4 changed files with 142 additions and 36 deletions.
88 changes: 54 additions & 34 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ Automatically create trusted timestamps for your commits

This software allows you to add timestamps to your contributions to a Git repository via trusted third-party
timestamping services. As specified in [RFC 3161](https://www.rfc-editor.org/rfc/rfc3161.html), these timestamps may be
used to prove the existence of data at the time the timestamp was issued. This timestamp data may serve to derive proofs
of:
used to prove the existence of data at the time the timestamp was issued and that the data wasn't changed since then.
This timestamp data may serve to derive proofs of:

* Integrity of the data to be committed
* Ownership immediately *before* the commit
Expand All @@ -24,6 +24,9 @@ timestamps or keep them private as needed. This software runs entirely client-si

## Installation

This software can be installed to any local Git repository. Clone this repository or download its source from
the [Releases](https://github.com/Ocead/timestamping/releases) page. Then choose one of the following ways to install:

### Automatic

Run the [config.sh](config.sh) script with the path to the local repository you want to install automated timestamping
Expand All @@ -48,6 +51,19 @@ to:
> make sure the scripts of this software are run **not** parallel to other hooked scripts that read or modify the
> repository.
### Deinstallation

To remove automated timestamping from a repository (provided automatic installation preceded):

1. Delete the `commit-msg`, `post-commit`, `pre-push` and `timestamping.sh` files from the `.git/hooks` directory in the
repository.
2. Unset the `ts.*` [git-config](https://git-scm.com/docs/git-config) options.

If you also want to delete any generated timestamps:

3. Force-delete the `${ts.branch.prefix}-` and `${ts.branch.prefix}/*` (`sig-` and `sig/*` by default) branches from the
repository.

## Functionality

This software uses OpenSSL to generate timestamps according to the "Internet X.509 Public Key Infrastructure Time-Stamp
Expand Down Expand Up @@ -139,7 +155,7 @@ To verify the files against each other you may use these commands (provided defa
openssl ts -verify -in response.tsr -data ../../.diff -CAfile cacert.pem
```

## Configuring time stamp authorities (TSAs)
## Configuring Time Stamp Authorities (TSAs)

A time stamp authority is a trusted third party that signs data provided to it using asymmetric keys together with the
timestamp of receiving the data. With this, the TSA confirms that it was sent the signed data at the signed timestamp.
Expand All @@ -148,7 +164,7 @@ in [RFC 3161 Section 3.4](https://www.rfc-editor.org/rfc/rfc3161.html#section-3.

### Configuring a new TSA

You can configure an arbitrary number of individual TSA for each repository. To configure a new timestamping server for
You can configure an arbitrary number of individual TSAs for each repository. To configure a new timestamping server for
a repository where this software is installed to, do the following steps:

1. Check out the branch specified through `ts.branch.prefix` (`sig-` by default).<br/>
Expand All @@ -157,80 +173,86 @@ a repository where this software is installed to, do the following steps:
git checkout sig-
```

2. In there, navigate to the server specified in `ts.server.directory` (`rfc3161` by default) and create a new
directory. The name of the directory specifies the domain of the timestamp server.<br/>
2. In there, navigate to the directory specified in `ts.server.directory` (`rfc3161` by default) and create a new
directory. The name of this directory specifies the domain of the timestamp server.<br/>
```shell
cd rfc3161
mkdir zeitstempel.dfn.de
```
If the URL of the timestamp server is a resource on a domain, you may name this directory anything and place a file
named `url` (can be changed via `ts.server.url`) containing the URL inside it instead.

3. Place the public keychain of the timestamp server inside the directory as `cacert.pem` (can be changed
via `ts.server.certificate`)

The repository should look like this afterwards (provided default options):
3. Place the public certificate bundle of the timestamp server inside the directory as `cacert.pem` (can be changed
via `ts.server.certificate`).<br/><br/>
The repository should look like this afterwards (provided default options):
```
./
└ rfc3161/
└ zeitstempel.dfn.de/
├ cacert.pem
(└ url)
...
```

```
./
└ rfc3161/
└ zeitstempel.dfn.de/
├ cacert.pem
└ url
...
```
4. Commit this addition to `sig-`.

> ℹ Note: You can find a list of free-to-use timestamping servers
> [here](https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710).
> ℹ Note: For a ready-to-use list of timestamping servers, see [docs/servers.md](docs/servers.md).
### Customising a TSA configuration

By placing additional files inside a TSA configuration's directory, you can further customize how timestamps from that
TSA are generated:

#### Timestamp server URL

**File:** `url`

**Description:**
If existent,
defines the URL the timestamping request is sent to.<br/>
If existent, defines the URL the timestamping request is sent to.<br/>
Use this to specify a protocol and resource on the server domain.

**Example:**
`./rfc3161/freetsa/url`

```
https://freetsa.org/tsr
```

#### TSA certificate chains

**File:** <code>cacert</code><code>.sh</code>

**Description:**
If existent, is called when before verifying the timestamp before the actual commit,
and it's output is piped into the certificate file of the TSA.<br/>
If existent, is called when before verifying the timestamp before the actual commit, and it's output is piped into the
certificate file of the TSA.<br/>
Use this to ensure the timestamps are verified against the current certificate.

**Example:**
`./rfc3161/freetsa/cacert.sh`

```shell
curl --silent https://freetsa.org/files/cacert.pem
```

#### Diffs

**File:** <code>diff</code><code>.sh</code>

**Description:**
If existent, is called when creating the diff before the actual commit, and it's output is used as a diff to timestamp from that TSA only.
The so generated diff file will not be modified further.<br/>
If existent, is called when creating the diff before the actual commit, and it's output is used as a diff to timestamp
from that TSA only. The so generated diff file will not be modified further.<br/>
Working directory is the repositories root directory.

**Example:**
`./rfc3161/freetsa/diff.sh`

```shell
git diff --staged --full-index --binary
```

#### Timestamp requests

**File:** <code>request</code><code>.sh</code>

**Description:**
Expand All @@ -239,11 +261,13 @@ The diff file will be supplied via <i>stdin</i> and the contents of the request

**Example:**
`./rfc3161/freetsa/request.sh`

```shell
openssl ts -query -cert -sha512 <&0
```

#### Timestamp responses

**File:** <code>response</code><code>.sh</code>

**Description:**
Expand All @@ -252,14 +276,15 @@ The request will be supplied via <i>stdin</i> and the contents of the response f

**Example:**
`./rfc3161/freetsa/request.sh`

```shell
curl --silent --header 'Content-Type: application/timestamp-query' --data-binary @- https://freetsa.org/tsr <&0
```

### Updating a TSA configuration

You may want to change the configuration of a TSA if the URL to the server or the keychain of the server change. To do
so (provided default options):
You may want to change the configuration of a TSA if the URL to the server or the certificate bundle of the server
change. To do so (provided default options):

1. Change the associated files/directory on branch `sig-`.
2. Commit the changes to `sig-`.
Expand Down Expand Up @@ -293,13 +318,13 @@ git config <option> "<value>"
|`ts.diff.type`|Type of diff to be created.<br/>May either be:<br/>`"staged"` for diffs to HEAD, or <br/>`"full"` for diffs to the empty tree object.|`"staged"`|
|`ts.server.directory`|The directory containing the timestamp server configurations relative to the repositories root directory.|`"rfc3161"`|
|`ts.server.url`|Name of the file containing the url of the timestamp server.|`"url"`|
|`ts.server.certificate`|Name of the key chain file for a single timestamp server.|`"cacert.pem"`|
|`ts.server.certificate`|Name of the certificate bundle file for a single timestamp server.|`"cacert.pem"`|
|`ts.request.file`|Name of the generated timestamp request file.|`"request.tsq"`|
|`ts.request.options`|Options for creating the timestamp request file through `openssl ts -query`.|`"-cert -sha256 -no_nonce"`|
|`ts.response.file`|Name of the received timestamp response file.|`"response.tsr"`|
|`ts.response.options`|Options for requesting the timestamp from the server through `curl`.|`""`|
|`ts.response.verify`|Whether the received timestamp should be verified against the diff and request file.<br/>May be `true` or `false`.|`"true"`|
|`ts.push.withhold`|Whether timestamping commits should be withheld from remotes.<br/>If `true`, [git-push](https://git-scm.com/docs/git-push) will fail for timestamping branches.|`"true"`|
|`ts.push.withhold`|Whether timestamping commits should be withheld from remotes.<br/>If `true`, [git-push](https://git-scm.com/docs/git-push) will fail for timestamping branches.|`"false"`|
|`ts.enabled`|Whether automated timestamping should be triggered on commits.<br/>May be `true` or `false`.|`"true"`|

> ⚠ Warning: Set the paths and filenames so that they don't interfere with what you plan to commit.
Expand All @@ -315,12 +340,7 @@ git config <option> "<value>"
* [x] Withholding timestamping commits from remotes
* [x] Prevent merging timestamping commits into actual branches
* [x] Custom diff and timestamp generation per TSA
* [x] Custom diffs
* [x] Custom certificates
* [x] Custom requests
* [x] Custom responses
* [ ] Trusted timestamps after commits
* [ ] Reducing checkouts in hooks

## License

Expand Down
4 changes: 2 additions & 2 deletions config.sh
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ function prompt_options() {
read -r -p "Enter the diff type [staged]: " TS_DIFF_TYPE

read -r -p "Enter the TSA configuration directory name [rfc3161]: " TS_SERVER_DIRECTORY
read -r -p "Enter the TSA keychain file name [cacert.pem]: " TS_SERVER_CERTIFICATE
read -r -p "Enter the TSA certificate bunde file name [cacert.pem]: " TS_SERVER_CERTIFICATE
read -r -p "Enter the TSA url file name [url]: " TS_SERVER_URL

read -r -p "Enter the timestamp request file name [request.tsq]: " TS_REQUEST_FILE
Expand Down Expand Up @@ -70,7 +70,7 @@ function set_options() {
# Copy the hooks into the repository
function copy_hooks() {
local REPO_PATH=$1
local FILES=("commit-msg" "post-commit" "timestamping.sh")
local FILES=("commit-msg" "post-commit" "pre-push" "timestamping.sh")
for f in "${FILES[@]}"; do
[[ ! -f "${REPO_PATH}/${f}" ]] || {
script_echo "ERROR: Could not copy the required files"
Expand Down
70 changes: 70 additions & 0 deletions docs/globalsign.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
subject= /O=GlobalSign/OU=GlobalSign Timestamping CA - SHA384 - G4/CN=GlobalSign
-----BEGIN CERTIFICATE-----
MIIGWTCCBEGgAwIBAgINAewckkDe/S5AXXxHdDANBgkqhkiG9w0BAQwFADBMMSAw
HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSNjETMBEGA1UEChMKR2xvYmFs
U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xODA2MjAwMDAwMDBaFw0zNDEy
MTAwMDAwMDBaMFsxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52
LXNhMTEwLwYDVQQDEyhHbG9iYWxTaWduIFRpbWVzdGFtcGluZyBDQSAtIFNIQTM4
NCAtIEc0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA8ALiMCP64Bvh
mnSzr3WDX6lHUsdhOmN8OSN5bXT8MeR0EhmW+s4nYluuB4on7lejxDXtszTHrMMM
64BmbdEoSsEsu7lw8nKujPeZWl12rr9EqHxBJI6PusVP/zZBq6ct/XhOQ4j+kxkX
2e4xz7yKO25qxIjw7pf23PMYoEuZHA6HpybhiMmg5ZninvScTD9dW+y279Jlz0UL
VD2xVFMHi5luuFSZiqgxkjvyen38DljfgWrhsGweZYIq1CHHlP5CljvxC7F/f0aY
Doc9emXr0VapLr37WD21hfpTmU1bdO1yS6INgjcZDNCr6lrB7w/Vmbk/9E818ZwP
0zcTUtklNO2W7/hn6gi+j0l6/5Cx1PcpFdf5DV3Wh0MedMRwKLSAe70qm7uE4Q6s
bw25tfZtVv6KHQk+JA5nJsf8sg2glLCylMx75mf+pliy1NhBEsFV/W6RxbuxTAhL
ntRCBm8bGNU26mSuzv31BebiZtAOBSGssREGIxnk+wU0ROoIrp1JZxGLguWtWoan
Zv0zAwHemSX5cW7pnF0CTGA8zwKPAf1y7pLxpxLeQhJN7Kkm5XcCrA5XDAnRYZ4m
iPzIsk3bZPBFn7rBP1Sj2HYClWxqjcoiXPYMBOMp+kuwHNM3dITZHWarNHOPHn18
XpbWPRmwl+qMUJFtr1eGfhA3HWsaFN8CAwEAAaOCASkwggElMA4GA1UdDwEB/wQE
AwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTqFsZp5+PLV0U5M6Tw
QL7Qw71lljAfBgNVHSMEGDAWgBSubAWjkxPioufi1xzWx/B/yGdToDA+BggrBgEF
BQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNv
bS9yb290cjYwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nbG9iYWxzaWdu
LmNvbS9yb290LXI2LmNybDBHBgNVHSAEQDA+MDwGBFUdIAAwNDAyBggrBgEFBQcC
ARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wDQYJKoZI
hvcNAQEMBQADggIBAH/iiNlXZytCX4GnCQu6xLsoGFbWTL/bGwdwxvsLCa0AOmAz
HznGFmsZQEklCB7km/fWpA2PHpbyhqIX3kG/T+G8q83uwCOMxoX+SxUk+RhE7B/C
pKzQss/swlZlHb1/9t6CyLefYdO1RkiYlwJnehaVSttixtCzAsw0SEVV3ezpSp9e
FO1yEHF2cNIPlvPqN1eUkRiv3I2ZOBlYwqmhfqJuFSbqtPl/KufnSGRpL9KaoXL2
9yRLdFp9coY1swJXH4uc/LusTN763lNMg/0SsbZJVU91naxvSsguarnKiMMSME6y
CHOfXqHWmc7pfUuWLMwWaxjN5Fk3hgks4kXWss1ugnWl2o0et1sviC49ffHykTAF
nM57fKDFrK9RBvARxx0wxVFWYOh8lT0i49UKJFMnl4D6SIknLHniPOWbHuOqhIKJ
PsBK9SH+YhDtHTD89szqSCd8i3VCf2vL86VrlR8EWDQKie2CUOTRe6jJ5r5IqitV
2Y23JSAOG1Gg1GOqg+pscmFKyfpDxMZXxZ22PLCLsLkcMe+97xTYFEBsIB3CLegL
xo1tjLZx7VIh/j72n585Gq6s0i96ILH0rKod4i0UnfqWah3GPMrz2Ry/U02kR1l8
lcRDQfkl4iwQfoH5DZSnffK1CfXYYHJAUJUg1ENEvvqglecgWbZ4xqRqqiKb
-----END CERTIFICATE-----
subject= /O=GlobalSign/OU=GlobalSign Root CA - R6/CN=GlobalSign
-----BEGIN CERTIFICATE-----
MIIFgzCCA2ugAwIBAgIORea7A4Mzw4VlSOb/RVEwDQYJKoZIhvcNAQEMBQAwTDEg
MB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjYxEzARBgNVBAoTCkdsb2Jh
bFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTQxMjEwMDAwMDAwWhcNMzQx
MjEwMDAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSNjET
MBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAJUH6HPKZvnsFMp7PPcNCPG0RQssgrRI
xutbPK6DuEGSMxSkb3/pKszGsIhrxbaJ0cay/xTOURQh7ErdG1rG1ofuTToVBu1k
ZguSgMpE3nOUTvOniX9PeGMIyBJQbUJmL025eShNUhqKGoC3GYEOfsSKvGRMIRxD
aNc9PIrFsmbVkJq3MQbFvuJtMgamHvm566qjuL++gmNQ0PAYid/kD3n16qIfKtJw
LnvnvJO7bVPiSHyMEAc4/2ayd2F+4OqMPKq0pPbzlUoSB239jLKJz9CgYXfIWHSw
1CM69106yqLbnQneXUQtkPGBzVeS+n68UARjNN9rkxi+azayOeSsJDa38O+2HBNX
k7besvjihbdzorg1qkXy4J02oW9UivFyVm4uiMVRQkQVlO6jxTiWm05OWgtH8wY2
SXcwvHE35absIQh1/OZhFj931dmRl4QKbNQCTXTAFO39OfuD8l4UoQSwC+n+7o/h
bguyCLNhZglqsQY6ZZZZwPA1/cnaKI0aEYdwgQqomnUdnjqGBQCe24DWJfncBZ4n
WUx2OVvq+aWh2IMP0f/fMBH5hc8zSPXKbWQULHpYT9NLCEnFlWQaYw55PfWzjMpY
rZxCRXluDocZXFSxZba/jJvcE+kNb7gu3GduyYsRtYQUigAZcIN5kZeR1Bonvzce
MgfYFGM8KEyvAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTAD
AQH/MB0GA1UdDgQWBBSubAWjkxPioufi1xzWx/B/yGdToDAfBgNVHSMEGDAWgBSu
bAWjkxPioufi1xzWx/B/yGdToDANBgkqhkiG9w0BAQwFAAOCAgEAgyXt6NH9lVLN
nsAEoJFp5lzQhN7craJP6Ed41mWYqVuoPId8AorRbrcWc+ZfwFSY1XS+wc3iEZGt
Ixg93eFyRJa0lV7Ae46ZeBZDE1ZXs6KzO7V33EByrKPrmzU+sQghoefEQzd5Mr61
55wsTLxDKZmOMNOsIeDjHfrYBzN2VAAiKrlNIC5waNrlU/yDXNOd8v9EDERm8tLj
vUYAGm0CuiVdjaExUd1URhxN25mW7xocBFymFe944Hn+Xds+qkxV/ZoVqW/hpvvf
cDDpw+5CRu3CkwWJ+n1jez/QcYF8AOiYrg54NMMl+68KnyBr3TsTjxKM4kEaSHpz
oHdpx7Zcf4LIHv5YGygrqGytXm3ABdJ7t+uA/iU3/gKbaKxCXcPu9czc8FB10jZp
nOZ7BN9uBmm23goJSFmH63sUYHpkqmlD75HHTOwY3WzvUy2MmeFe8nI+z1TIvWfs
pA9MRf/TuTAjB0yPEL+GltmZWrSZVxykzLsViVO6LAUP5MSeGbEYNNVMnbrt9x+v
JJUEeKgDu+6B5dpffItKoZB0JaezPkvILFa9x8jvOOJckvB595yEunQtYQEgfn7R
8k8HWV+LLUNS60YMlOH1Zkd5d9VUWx+tJDfLRVpOoERIyNiwmcUVhAn21klJwGW4
5hpxbqCo8YLoRT5s1gLXCmeDBVrJpBA=
-----END CERTIFICATE-----
16 changes: 16 additions & 0 deletions docs/servers.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
## Timestamp servers

Here is a list of some free-to-use timestamping servers together with their relevant certificates:

|Provider|URL|Certificate bundle|Web page|
|---|---|---|---|
|DFN-Verein e.V.|`http://zeitstempel.dfn.de`|[cacert.pem](https://pki.pca.dfn.de/dfn-ca-global-g2/pub/cacert/chain.txt)|[Link](https://www.pki.dfn.de/zeitstempeldienst/)|
|DigiCert Inc.|`http://timestamp.digicert.com`|[cacert.pem](https://knowledge.digicert.com/content/dam/digicertknowledgebase/attachments/time-stamp/DigiCertAssuredIDRootCA_comb.crt.pem)|[Link](https://knowledge.digicert.com/generalinformation/INFO4231.html)|
|freeTSA|`https://freetsa.org/tsr`|[cacert.pem](https://freetsa.org/files/cacert.pem)|[Link](https://freetsa.org/)|
|GlobalSign|`http://rfc3161timestamp.globalsign.com/advanced`|[cacert.pem](globalsign.pem)|[Link](https://www.globalsign.com/timestamp-service)|

> ℹ Note: You can find a list of additional, free-to-use timestamping servers
> [here](https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710).
> ℹ Note: The author of this repository is in no way affiliated with any of the organizations/service providers
> listed above.

0 comments on commit b78b0fb

Please sign in to comment.