To help ensure contributor privacy, but still support gathering of contributor agreements as necessary, Gerrit encrypts all offline contact information gathered from users. This data is shipped to another server, typically at a different location, to make it more difficult for an attacker to obtain.

This feature is optional. If the crypto APIs aren't installed and the contactstore.url setting in gerrit.config is not set, Gerrit will not collect contact information from users.

Setup

Ensure Bouncy Castle Crypto API is available in the web application's CLASSPATH (e.g. in JETTY_HOME/lib/plus for Jetty). Gerrit needs both bcprov-jdk*-*.jar and bcpg-jdk*-*.jar to be provided for the contact encryption to work.

Ensure a proper JCE policy file is installed. By default most JRE installations forbid the use of a strong key, resulting in SecurityException messages when trying to encrypt the contact data. You need to obtain a strong JCE policy file and install it by hand. Look for the Unlimited Strength Jurisdiction Policy download.

Create a public/private key pair for contact data handling. Generate the keys on a protected system, where the resulting private key is unlikely to fall into the wrong hands.

gpg --gen-key

Select to use a DSA and Elgamal key type, as the public key will be used for data encryption.

The information chosen for name, email and comment fields can be anything reasonable which would identify the contact store of this Gerrit instance. It is probably a good idea to not use a real person's name here, but instead some sort of organizational role. The actual values chosen don't matter later, and are only to help document the purpose of the key.

Chose a fairly long expiration period, such as 20 years. For most Gerrit instances, contact data will be written once, and rarely, if ever, read back.

Export the public key for Gerrit to use during encryption. The public key must be stored in a file called contact_information.pub and reside inside of the site_config directory. Armoring it during export makes it easier to transport between systems, as you can easily copy-and-paste the text. Gerrit can read both the armored and unarmored formats.

gpg --export --armor KEYEMAIL >$site_path/contact_information.pub

Consider storing the private key with some sort of key escrow service within your organization. Without the private key it is impossible to recover contact records.

Install a contact store implementation somewhere to receive the contact records. To be really paranoid, Gerrit always ships the data to another HTTP server, preferrably over HTTPS. Existing open-source server implementations can be found in the gerrit-contactstore project.

Configure $site_path/gerrit.config with the contact store's URL (in contactstore.url), and if needed, APPSEC value (in contactstore.appsec):

git config --file $site_path/gerrit.config appsec.url https://...
git config --file $site_path/gerrit.config appsec.appsec sekret

Contact Store Protocol

To implement a new contact store, the following details are useful.

Gerrit connects to the contact store by sending a standard application/x-www-form-urlencoded within an HTTP POST request sent to the store URL (the exact URL that is in contactstore.url) with the following form fields in the body:

Upon successful store, the contact store application should respond with HTTP status code 200 and a body consisting only of OK (or OK\n). Any other response code or body is considered to be a failure by Gerrit.

Using https:// for the store URL is highly encouraged, as it prevents man-in-the-middle attacks from reading the shared secret APPSEC token, or messing with the data field.

Data Format

Once decrypted the data field looks something like the following:

Account-Id: 1001240
Date: 2009-02-23 20:32:32.852 UTC
Full-Name: John Doe
Preferred-Email: jdoe@example.com
Identity: jd15@some-isp.com
Identity: jdoe@example.com <https://www.google.com/accounts/o8/id?id=AIt18axxafvda821aQZaHDF1k8akbalk218sak>
Identity: jdoe@example.com <http://jdoe.blogger.com/>
Address:
        123 Any Street
        Any Town, Somewhere
Country: USA
Phone-Number: +1 (555) 555-1212
Fax-Number: 555.1200

The fields are as follows:


Part of Gerrit Code Review