Jeff King venit, vidit, dixit 26.01.2016 21:26: > On Tue, Jan 26, 2016 at 10:29:42AM -0500, Santiago Torres wrote: > >>> If you cannot trust those with write access to a repo that you are >>> pulling and installing from you might want to re-check where you are >>> pulling or installing from ;) >> >> Yeah, I see your point, but mechanisms to ensure the server's origin can >> be bypassed (e.g., a MITM). I don't think it would hurt to ensure the >> source pointed to is the source itself. The tag signature can help us do >> this. > > Right. I think the more interesting use case here is "I trust the > upstream repository owner, but I do not trust their hosting site of > choice." > >>> Your best bet is checking the signature of signed tags. Now, if you're >>> worried about someone maliciously pointing you to the wrong, correctly >>> signed tag then you should verify that the tag object contains the tag >>> "name" that you expect (for example by using "git verify-tag -v" or "git >>> cat-file -p"), since that is part of the signed content. >> >> Yep, this is my intuition behind my proposal. While someone can manually >> inspect a tag (git tag -v [ref]) to ensure he's getting the correct one, >> there's no mechanism to ensure that the ref is pointing to the intended >> tag. I do believe that package managers and git submodules could check >> whether the ref is pointing to the right tag with a small change in the >> tag header. Although it would be up to each tool to implement this >> check. >> >> I don't think that an addition like this would get in the way of any >> existing git workflow, and should be backwards-compatible right? > > Doesn't this already exist? > > $ git cat-file tag v2.0.0 > object e156455ea49124c140a67623f22a393db62d5d98 > type commit > tag v2.0.0 > tagger Junio C Hamano <gits...@pobox.com> 1401300269 -0700 > > Git 2.0 > -----BEGIN PGP SIGNATURE----- > [...] > -----END PGP SIGNATURE----- > > Tag objects already have a "tag" header, which is part of the signed > content. If you use "git verify-tag -v", you can check both that the > signature is valid and that the tag is the one you are expecting.
Yes, that's what I described in my last paragraph, using the term (embedded) tag "name" which is technically wrong (it's not the tag object's name, which would be a sha1) but the natural term for users. > Of course, "verify-tag" could do this for you if you give it a refname, > too, but I think that may be the tip of the iceberg in terms of > automatic verification. In particular, verify-tag knows it was signed by > _somebody_, but it doesn't know what the signing policy is. As a human, > _I_ know that Junio is the right person to be signing the release tag, > but no tool does. > > Git pretty much punts on all of these issues and assumes either a human > or a smarter tool is looking at the verification output. But I don't > think it would hurt to build in some features to let git automatically > check some things, if only to avoid callers duplicating work to > implement the checks themselves. That is really a can of worms for several reasons: - Do you fetch tags into refs/tags/ or refs/tags/upstream/ or wherever, and which part of the tag refname should we check for? We can DWIM that to the last part after / and allow "--tagname" to override, of course. - By all means, we need to avoid a false sense of security. "GOOD SIGNATURE" in gpg terms is bad enough with the usual trust model when users don't check who actually made that signature. If you don't *really* check the signature then anyone can shove a signed tag object under your nose with the *expected tag header* (tag "name") so that there is no gain at all, unless you envison a scenario where Man I. T. Middle can mess with refs but not objects. So, for those who shy away from for-each-ref and such, we may add the header check to verify-tag, with a big warning about the marginal gain in security (or the requirements for an actual gain). Michael -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
