New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
gitlock - npm Package Compare versions
Comparing version 0.1.1 to 0.2.0
@@ -0,1 +1,9 @@ | ||
| v0.2.0 (2016-06-08) | ||
| =================== | ||
| - Add `parse` to show timestamp's time, etc. | ||
| - Secure delay. | ||
| - More user-friendly. | ||
| - More strict verification. | ||
| v0.1.1 (2016-06-07) | ||
@@ -2,0 +10,0 @@ =================== |
@@ -35,2 +35,10 @@ "use strict"; | ||
| let runWithoutCapture = (args, options) => { | ||
| let actualOptions = { | ||
| stdio: ["pipe", process.stdout, process.stderr] | ||
| }; | ||
| Object.assign(actualOptions, options); | ||
| return run(args, actualOptions); | ||
| }; | ||
| let line = (args, options) => { | ||
@@ -216,2 +224,3 @@ return $util.parseLine(run(args, options)); | ||
| exports.runAsync = runAsync; | ||
| exports.runWithoutCapture = runWithoutCapture; | ||
| exports.line = line; | ||
@@ -218,0 +227,0 @@ exports.lines = lines; |
@@ -167,4 +167,6 @@ "use strict"; | ||
| if (status.some(m => m[0] !== " " && m[0] !== "?" && m[0] !== "!")) { | ||
| console.log("Committing files in the index..."); | ||
| if (args.length === 0) { | ||
| $git.run(["commit", "--allow-empty-message", "-m", ""]); | ||
| $git.runWithoutCapture(["commit", "--allow-empty-message", "-m", ""]); | ||
| } | ||
@@ -178,6 +180,6 @@ | ||
| assert(args.length === 2); | ||
| $git.run(["commit", "-m", args[1]]); | ||
| $git.runWithoutCapture(["commit", "-m", args[1]]); | ||
| } | ||
| else if (args[0] === "commit") { | ||
| $git.run(args); | ||
| $git.runWithoutCapture(args); | ||
| } | ||
@@ -214,3 +216,5 @@ } | ||
| commitsArray.forEach((commit, index) => { | ||
| commit.lockNames.forEach(lockName => { | ||
| commit.lockNames.forEach((lockName, index) => { | ||
| assert(index === parseInt($lock.getLabel(lockName))); | ||
| let lock = $lock.Lock.fromName(lockName); | ||
@@ -324,2 +328,5 @@ if (lockName.startsWith("gitlock-000-")) { | ||
| } | ||
| else { | ||
| console.log("Locks are already up-to-date with no new lock added."); | ||
| } | ||
| } | ||
@@ -338,3 +345,9 @@ else if (args[0] === "timestamp") { | ||
| } | ||
| $git.run(["push", "--follow-tags"]); | ||
| else { | ||
| console.log("Locks are already up-to-date with no new lock added."); | ||
| } | ||
| console.log("Applying secure delay. Please wait 5 seconds..."); | ||
| $util.delay(5000).then(() => { | ||
| $git.runWithoutCapture(["push", "--follow-tags"]); | ||
| }); | ||
| } | ||
@@ -421,2 +434,14 @@ else if (args[0] === "verify") { | ||
| } | ||
| else if (args[0] === "parse") { | ||
| let lock = $lock.Lock.fromName(args[1]); | ||
| assert(lock instanceof $lock.TimestampLock, "parse-non-timestamp"); | ||
| $cp.execFileSync( | ||
| config.openssl, | ||
| ["asn1parse", "-inform", "DER"], | ||
| { | ||
| input: lock.data[0], | ||
| stdio: ["pipe", process.stdout, process.stderr] | ||
| } | ||
| ); | ||
| } | ||
| else if (args[0] === "list") { | ||
@@ -429,6 +454,3 @@ let lockNames = $git.lines(["tag", "-l", "--sort=taggerdate", "gitlock-*"]); | ||
| else if (args[0] === "log") { | ||
| $git.run(["log", "--all", "--decorate", "--graph"], { | ||
| stdio: ["pipe", process.stdout, process.stderr], | ||
| encoding: "buffer" | ||
| }); | ||
| $git.runWithoutCapture(["log", "--all", "--decorate", "--graph"]); | ||
| } | ||
@@ -552,2 +574,5 @@ else if (args[0] === "remove") { | ||
| } | ||
| else if (code === "parse-non-timestamp") { | ||
| text = "`parse` only applies to timestamps."; | ||
| } | ||
| else { | ||
@@ -554,0 +579,0 @@ throw ex; |
| { | ||
| "name": "gitlock", | ||
| "version": "0.1.1", | ||
| "version": "0.2.0", | ||
| "description": "Add a SHA-256 wrapper to increase the security of Git. It can also protect your copyright by adding timestamps from trusted Time Stamping Authority.", | ||
@@ -5,0 +5,0 @@ "keywords": ["git", "lock"], |
@@ -6,10 +6,26 @@ GitLock | ||
| In essence, it just adds tags. It doesn't modify your repo's internals, so it's safe - Your history and commit IDs will remain unchanged. It's compatible with Git (1.8.3 or higher), GitHub, and BitBucket. For details see "architecture.md". | ||
| IMPORTANT: **How to prove your code is yours?** The only way is to prove you are the **first** one who claims its copyright. That's exactly what timestamps do. GitLock's timestamp isn't from your computer. It's from well-known CAs, such as Comodo, which can be trusted. | ||
| There're 3 types of locks: base lock, timestamp lock, and signature lock (signature locks are not implemented yet). | ||
| In essence, it just adds tags. It doesn't modify your repo's internals, so it's safe - Your history and commit IDs will remain unchanged. It's compatible with Git (1.8.3 or higher), GitHub, and BitBucket. For details see "architecture.md". Take a brief look at the effect after locked: | ||
| - [Example lock list](https://github.com/zizisoft/gitlock/tags?after=gitlock-000-sha256-4e8abc37d6efd2f054aea3da5f10a6f7421fc5b9e09e5b4373ae08596e1b26ca) (Click `...` to see lock details. Note that year 2005 isn't the timestamp date - it's just a fake date to isolate locks from releases for readability.) | ||
| - [Example commit with locks](https://github.com/zizisoft/gitlock/commit/1758cba8f9e2128e601dc3952110559a1b29a021) | ||
| - [Example base lock](https://github.com/zizisoft/gitlock/releases/tag/gitlock-000-sha256-3da0b41c4dfe1ea226095e05ed73a2355fce9a70a0368ae10d90568342cc7332) | ||
| - [Example timestamp lock](https://github.com/zizisoft/gitlock/releases/tag/gitlock-001-sha256-936fa8afe109de575e4e2ffc6758ac786d3fb7b8d48efafbee0c072b363201f5) | ||
| There're 3 types of locks: base lock (with label `000`), timestamp lock, and signature lock (signature locks are not implemented yet). | ||
| (Windows users: It's recommended to run the command in Git Bash, not `cmd`, because it relies on OpenSSL.) | ||
| Synopsis 1: | ||
| Installation | ||
| ============ | ||
| - Make sure you have [Node.js](https://nodejs.org/) on your computer. | ||
| - Use the command `npm install -g gitlock` (may need `sudo`). | ||
| Usage | ||
| ===== | ||
| ### Synopsis 1: basic commands | ||
| ``` | ||
@@ -38,3 +54,3 @@ gitlock | ||
| Synopsis 2 (not implemented yet): | ||
| ### Synopsis 2 (not implemented yet): sign | ||
@@ -45,7 +61,9 @@ ``` | ||
| Sign the current lock. But if you just want to prove your copyright, you really don't need to sign. Providing your name and email in a file (like `package.json`) in your repo and then timestamping is enough. If you're still not confident, provide more information like your birthday, nationality and passport number in a file (like `author-info.txt`). | ||
| Sign the current lock. | ||
| Note: If you just want to prove your copyright, you really don't need to sign. Providing your name and email in a file (like `package.json`) in your repo and then timestamping is enough. This is obvious, because signing is for liability / authentication, not for claiming rights. If you're still not confident, provide more information like your birthday, nationality and passport number in a file (like `author-info.txt`) before timestamping. | ||
| If it hasn't been locked, it will lock first. | ||
| Synopsis 3: | ||
| ### Synopsis 3: timestamp | ||
@@ -62,3 +80,3 @@ ``` | ||
| Synopsis 4: | ||
| ### Synopsis 4: push | ||
@@ -69,3 +87,3 @@ ``` | ||
| Push commits and their tags (including locks). Before push, it can automatically sign or timestamp based on your configuration. | ||
| Push commits and their tags (including locks). Before push, it can automatically sign or timestamp based on your configuration. There will be a "secure delay". See FAQ. | ||
@@ -78,3 +96,3 @@ If it hasn't been locked, it will lock first. | ||
| Synopsis 5: | ||
| ### Synopsis 5: verify | ||
@@ -89,3 +107,3 @@ ``` | ||
| Synopsis 6: | ||
| ### Synopsis 6: proof | ||
@@ -108,3 +126,3 @@ ``` | ||
| Synopsis 7: | ||
| ### Synopsis 7: show | ||
@@ -117,5 +135,23 @@ ``` | ||
| Synopsis 8: | ||
| ### Synopsis 8: parse | ||
| ``` | ||
| gitlock parse <lock> | ||
| ``` | ||
| Show timestamp information, such as the timestamp time. | ||
| You can find lines like this in the output: | ||
| ``` | ||
| ... prim: OBJECT :signingTime | ||
| ... cons: SEQUENCE | ||
| ... prim: UTCTIME :150228132728Z | ||
| ``` | ||
| It means the timestamp is signed on 2015-02-28 13:27:28 UTC Time. | ||
| ### Synopsis 9: list | ||
| ``` | ||
| gitlock list | ||
@@ -126,3 +162,3 @@ ``` | ||
| Synopsis 9: | ||
| ### Synopsis 10: log | ||
@@ -135,3 +171,3 @@ ``` | ||
| Synopsis 10: | ||
| ### Synopsis 11: remove | ||
@@ -154,3 +190,3 @@ ``` | ||
| Synopsis 1: | ||
| ### Synopsis 1: config | ||
@@ -163,3 +199,3 @@ ``` | ||
| Synopsis 2: | ||
| ### Synopsis 2: tsa | ||
@@ -172,3 +208,3 @@ ``` | ||
| Synopsis 3: | ||
| ### Synopsis 3: openssl | ||
@@ -187,3 +223,3 @@ ``` | ||
| Synopsis 4: | ||
| ### Synopsis 4: root-ca | ||
@@ -209,3 +245,3 @@ ``` | ||
| Synopsis 5: | ||
| ### Synopsis 5: lock-default | ||
@@ -220,3 +256,3 @@ ``` | ||
| Synopsis 6: | ||
| ### Synopsis 6: push-default | ||
@@ -231,3 +267,3 @@ ``` | ||
| Synopsis 7 (not implemented yet): | ||
| ### Synopsis 7 (not implemented yet): private | ||
@@ -282,1 +318,5 @@ ``` | ||
| A: No. It only sends a SHA-256 hash. | ||
| **Q: What's "secure delay"?** | ||
| A: It's an interval between timestamping time and pushing time. The purpose is to prevent others from timestamping immediately after you push. If there's no delay, then if someone uses a bot to listen to your Git address, he can modify your copyright info and timestamp at the same second of your timestamp. The timestamp granularity is 1 second, so the delay should be at least 1 second. We set it to 5 seconds. |
No alert changes
Improved metrics
- Total package byte prevSize
- increased by3.11%
123961
- Lines of code
- increased by1.47%
2146
- Number of lines in readme file
- increased by15.15%
304
No dependency changes