http: implement public key pinning

Add the http.pinnedpubkey configuration option for public key pinning. It allows any string supported by libcurl -- base64(sha256(pubkey)) or filename of the full public key. If cURL does not support pinning (is too old) output a warning to the user. Signed-off-by: Christoph Egger <christoph@christoph-egger.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
author: Christoph Egger <christoph@christoph-egger.org> 2016-02-15 15:04:22 +0100
committer: Junio C Hamano <gitster@pobox.com> 2016-02-15 19:21:48 -0800
commit: aeff8a61216bf6e0d663c08c583bc8552fa3c344 (patch)
tree: 56089a2c0b99c783ee4ebed5bf90445c32b0fa3c /Documentation
parent: Git 2.7.1 (diff)
download: tgif-aeff8a61216bf6e0d663c08c583bc8552fa3c344.tar.xz
1 files changed, 8 insertions, 0 deletions
diff --git a/Documentation/config.txt b/Documentation/config.txt
index f61788668e..bc0237fd62 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1679,6 +1679,14 @@ http.sslCAPath::
 	with when fetching or pushing over HTTPS. Can be overridden
 	by the 'GIT_SSL_CAPATH' environment variable.
 
+http.pinnedpubkey::
+	Public key of the https service. It may either be the filename of
+	a PEM or DER encoded public key file or a string starting with
+	'sha256//' followed by the base64 encoded sha256 hash of the
+	public key. See also libcurl 'CURLOPT_PINNEDPUBLICKEY'. git will
+	exit with an error if this option is set but not supported by
+	cURL.
+
 http.sslTry::
 	Attempt to use AUTH SSL/TLS and encrypted data transfers
 	when connecting via regular FTP protocol. This might be needed
author	Christoph Egger <christoph@christoph-egger.org>	2016-02-15 15:04:22 +0100
committer	Junio C Hamano <gitster@pobox.com>	2016-02-15 19:21:48 -0800
commit	aeff8a61216bf6e0d663c08c583bc8552fa3c344 (patch)
tree	56089a2c0b99c783ee4ebed5bf90445c32b0fa3c /Documentation
parent	Git 2.7.1 (diff)
download	tgif-aeff8a61216bf6e0d663c08c583bc8552fa3c344.tar.xz