I've just been looking at the code and I see what looks like a (minor) security hole in the verify-tag feature. In particular, the tag verification code doesn't check that the tag is signed by the same user that created the tag. To be fair, gpg does output the identity of the key that created the signature as well as the key used to create the signature, so an astute user could detect that some shenanigans is going on. An attack would simply require getting one's own public key into the keyring of a user. This probably wouldn't be very easy at the moment, but if people were to actually use encrypted email (and if they set their mail agents to download public keys), it might require no more then sending a signed email to a mailing list. Of course, you'd also somehow have to trick them into pulling (or cloning) your corrupt tag, which probably requires compromising a server (or mirror) somewhere. But of course, the whole point of signing tags is to eliminate precisely this danger. What should be done about this? First, there ought to be a feature to limit git verify-tag to use a specific keyring. Maybe there is an environment variable, and it's just not documented in the man page? It would also seem like a good idea to at a minimum check that the name/email associated with the signature is the same as that of the tagger. This doesn't gain you *too* much, since an attacker can always create his own key with any name and email he likes, but at least it means that users could feel safe adding keys to their public keyring, as long as those keys have reasonable names/emails associated with them, and as long as they run git show on a tag before trusting that that tag came from a particular person. i.e. it seems reasonable for me to expect that if I run: $ git show v1.0 tag v1.0 Tagger: Linus Torvalds ... ... [user carefully reads the Tagger line...] $ git verify-tag v1.0 && make That I won't be running make on a repository that wasn't signed by a key that at least *claims* to belong to Linus Torvalds. Thoughts? -- David Roundy