Re: insecurity in verify-tag?

[Michael J Gruber <git@drmicha.warpmail.net>]

David Roundy venit, vidit, dixit 24.11.2009 17:56:
> I've just been looking at the code and I see what looks like a (minor)
> security hole in the verify-tag feature.  In particular, the tag
> verification code doesn't check that the tag is signed by the same
> user that created the tag.  To be fair, gpg does output the identity
> of the key that created the signature as well as the key used to
> create the signature, so an astute user could detect that some
> shenanigans is going on.
> 
> An attack would simply require getting one's own public key into the
> keyring of a user.  This probably wouldn't be very easy at the moment,
> but if people were to actually use encrypted email (and if they set
> their mail agents to download public keys), it might require no more
> then sending a signed email to a mailing list.
> 
> Of course, you'd also somehow have to trick them into pulling (or
> cloning) your corrupt tag, which probably requires compromising a
> server (or mirror) somewhere.  But of course, the whole point of
> signing tags is to eliminate precisely this danger.
> 
> What should be done about this? First, there ought to be a feature to
> limit git verify-tag to use a specific keyring.  Maybe there is an
> environment variable, and it's just not documented in the man page?
> 
> It would also seem like a good idea to at a minimum check that the
> name/email associated with the signature is the same as that of the
> tagger.  This doesn't gain you *too* much, since an attacker can
> always create his own key with any name and email he likes, but at
> least it means that users could feel safe adding keys to their public
> keyring, as long as those keys have reasonable names/emails associated
> with them, and as long as they run git show on a tag before trusting
> that that tag came from a particular person.  i.e. it seems reasonable
> for me to expect that if I run:
> 
> $ git show v1.0
> tag v1.0
> Tagger: Linus Torvalds ...
> ...
> [user carefully reads the Tagger line...]
> $ git verify-tag v1.0 && make
> 
> That I won't be running make on a repository that wasn't signed by a
> key that at least *claims* to belong to Linus Torvalds.
> 
> Thoughts?

My thought is that this is the wrong way to deal with signatures, be it
signatures on tags or signatures on other documents such as e-mails.

Everyone can produce a valid signature. Everyone can set an arbitrary
tagger name or commit author. They are meaningless. A "Tagger" really is
the committer of a tag object, whereas the signer is the actual author
of the signature.

The only case where a signature bears any value is when

- the signature is valid (in the sense of formal validity)
AND
- you trust the signer (i.e. the person and the key).

Specifically, you are supposed NOT to go by the return code of gpg
--verify (which is behind verify-tag). It doesn't mean all that much. On
a side note, that was an attack vector on gpg users last year or so.

All that git itself could do is compare the tagger and the signer, and
warn you if they differ, that is: the signer's key contains no uid
matching the tagger. But this piece of information is really orthogonal
to the issue of trustworthiness.

Note that the actual signature verification process depends also on the
gpg trust model (pgp/classic/...) that you're using and your trustdb. If
you want to use a specific gpg setup or keyring for tag purposes you can
do something like

GNUPGHOME=~/.gpgforgit git verify-tag v1.6.5

Michael