On Fri, 19 Aug 2016 at 17:41:51 -0700, koanhead wrote: > Other than that, if you clone the repository in a manner vulnerable to > MITM, you should still be able to verify its checksum against the one > that's published. As far as I can tell from perusing > http://git.savannah.gnu.org/cgit/libreboot.git/, there's no global sum > published for the whole tree.
One way around this is to sign tags (using ‘git tag -su keyid tagname’). Then, assuming a trust path to the signer's OpenPGP key — and the second preimage-resistance of SHA-1, anyone could verify the integrity of the tree (including committed files and commit messages) from the tag all the way down. For someone who's HEAD isn't on tag, the same technique applies with more overhead as it requires individual commits to be signed (with ‘git commit -Skeyid’). Cheers, -- Guilhem.
signature.asc
Description: PGP signature
