> -----Original Message-----
> From: Patrick Schleizer
> Sent: Friday, November 21, 2014 18:01
> 
> Dear git developers!
> 
> Jeff King wrote:
> > On Sun, Nov 16, 2014 at 03:31:10PM +0000, Patrick Schleizer wrote:
> > 
> >> How safe are signed git tags? Especially because git uses 
> SHA-1. There
> >> is contradictory information around.
> >>
> >> So if one verifies a git tag (`git tag -v tagname`), then 
> `checksout`s
> >> the tag, and checks that `git status` reports no untracked/modified
> >> files, without further manually auditing the code, how 
> secure is this
> >> actually? Is it only as safe as SHA-1?
> > 
> > Yes, it is only as "safe as SHA-1" in the sense that you 
> have GPG-signed
> > only a SHA-1 hash. If somebody can find a collision with a 
> hash you have
> > signed, they can substitute the colliding data for the data 
> you signed.

The whole issue is a lot better than this makes it sound. Yes it is just a SHA1 
hash, but it is a hash of a structured data format.

You have very observable parts of that well structured data providede to the 
hash.

The commit message, the directory contents, and lastly the files themselves.

For a collision to occur, the commit message would have to likely have garbage 
in the message of a large nature. To generate a colision by commited file 
contents is unlikely because the file contents is reduced to a hash in the 
directory structure, which is in turn reduced to a hash in a commit structure.

This would be noticed.


--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00. 

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to