From: Stefan Beller <sbeller@google.com>
To: Patrick Schleizer <patrick-mailinglists@whonix.org>
Cc: Junio C Hamano <gitster@pobox.com>,
"git@vger.kernel.org" <git@vger.kernel.org>,
Whonix-devel <whonix-devel@whonix.org>
Subject: Re: gpg verify git sub modules useful?
Date: Wed, 1 Mar 2017 11:08:48 -0800 [thread overview]
Message-ID: <CAGZ79kav0yB=g5kwB68oHRxbd0mDJ5-gGTJSidSKkZ75gmT44Q@mail.gmail.com> (raw)
In-Reply-To: <8cdd9f2d-415c-1b60-0017-bf973e8cf914@riseup.net>
On Wed, Mar 1, 2017 at 10:28 AM, Patrick Schleizer
<patrick-mailinglists@whonix.org> wrote:
> Good questions, thank you for trying to figure out what I am asking. :)
>
> Junio C Hamano:
>> Patrick Schleizer <patrick-mailinglists@whonix.org> writes:
>>
>>> When using git submodules, is there value in iterating about the git
>>> submodules running "git verfiy-commit HEAD" or would that be already
>>> covered by the git submodule verification?
>>
>> That depends on what you are referring to with the "git submodule
>> verification"
>
> cd submodule
> if ! git verfiy-commit HEAD ; then
> error
> fi
>
>> and more importantly what threat you are guarding
>> against.
>
> All main (non-submodule) (merge) commits and submodule (merge) commits
> are signed by me.
>
> 1) git --recursive clone main (non-submodule) git repository
> 2) cd git main repository
> 3) git verify-commit HEAD or git verify-tag tag-name
> 4) git submodule update
>
> What if the main (non-submodule) git repository gpg signature was okay
> but then after git fetched the submodules these compromised (MITM'ed) ones?
The signing in Git is just signing the commit hash essentially.
> Does the having gpg verified the root (main git repository) ensure that
> submodule commits are also quasi verified?
That is my understanding. There is no difference between the security of
a file or a submodule, just the way of obtaining and its reporting is different.
Both a file and a submodule are referred to via a hash (currently sha1).
Obtaining a file is implicit whereas obtaining the submodule is explicit.
The reporting (in e.g. git-status) ... depends on a lot of options to be set.
When signing the superproject, you acknowledge the submodules
being in the state as recorded. (Same with s/submodules/files/)
So I am not sure what kind of additional signing you're looking
for in the submodules.
Thanks,
Stefan
prev parent reply other threads:[~2017-03-01 19:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-28 15:50 gpg verify git sub modules useful? Patrick Schleizer
2017-02-28 17:36 ` Junio C Hamano
2017-03-01 18:28 ` Patrick Schleizer
2017-03-01 19:08 ` Stefan Beller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGZ79kav0yB=g5kwB68oHRxbd0mDJ5-gGTJSidSKkZ75gmT44Q@mail.gmail.com' \
--to=sbeller@google.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=patrick-mailinglists@whonix.org \
--cc=whonix-devel@whonix.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).