Git development
 help / color / mirror / Atom feed
From: Joseph Parmelee <jparmele@wildbear.com>
To: "Carlos Martín Nieto" <cmn@elego.de>
Cc: "Olsen, Alan R" <alan.r.olsen@intel.com>,
	Michael Witten <mfwitten@gmail.com>,
	Junio C Hamano <gitster@pobox.com>,
	"git@vger.kernel.org" <git@vger.kernel.org>
Subject: RE: Lack of detached signatures
Date: Wed, 28 Sep 2011 06:36:10 -0600 (CST)	[thread overview]
Message-ID: <alpine.LNX.2.00.1109280555460.25187@bruno> (raw)
In-Reply-To: <1317195719.30267.4.camel@bee.lab.cmartin.tk>

[-- Attachment #1: Type: TEXT/PLAIN, Size: 3778 bytes --]


On Wed, 28 Sep 2011, Carlos Martín Nieto wrote:

> On Wed, 2011-09-28 at 04:17 +0000, Olsen, Alan R wrote:
>> [Sorry for the top posting. Outlook is evil.]
>>
>> Detached signatures are created with gpg, not git.
>
> Git delegates all the signing business to gpg.
>
>>
>> What I would like to see in git would be signed commits. I have looked
>
> Every single commit? That sounds very heavy. You might want to look at
> signed pushes (signed push certificates), which were discussed in the
> list some time the kernel.org intrusion.
>
> Due to the way git calculates the hash for each object, signing a tag
> means that you also sign every single commit up to that point (with all
> their tree and blob objects).
>
>>  at what it would take to make it work, but I don't have all the
>> details worked out. (Certain merges and cherry-picks would not work
>> very well.)
>
> This is precisely because of the cryptographic hash that is used to make
> sure that history doesn't get changed.
>
>   cmn
>
>>
>> -----Original Message-----
>> From: git-owner@vger.kernel.org [mailto:git-owner@vger.kernel.org] On Behalf Of Michael Witten
>> Sent: Tuesday, September 27, 2011 5:08 PM
>> To: Junio C Hamano
>> Cc: Joseph Parmelee; git@vger.kernel.org
>> Subject: Re: Lack of detached signatures
>>
>> On Wed, Sep 28, 2011 at 00:03, Junio C Hamano <gitster@pobox.com> wrote:
>>> Joseph Parmelee <jparmele@wildbear.com> writes:
>>>
>>>> Under the present circumstances, and particularly considering the
>>>> sensitivity of the git code itself, I would suggest that you implement
>>>> signed detached digital signatures on all release tarballs.
>>>
>>> Well, signed tags are essentially detached signatures. People can verify
>>> tarballs against them if they wanted to, although it is a bit cumbersome.
>>
>> Aren't tarballs used to get git on machines that don't yet have git?
>> --
>> To unsubscribe from this list: send the line "unsubscribe git" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> NrybX?v^)?{.n+?\x17?}?z&j:+v\azZ++zfh~iz\x1ew?&)?^[f
>
>
>

There is confusion here between the repository and the tarball.  Once you
have produced the tarball there is NO cryptographic protection against
forgeries unless you sign it with GPG.  That is my point: either produce
signatures with the tarballs, or don't provide them at all and force users
to clone the repository.  Git itself provides internal crytopgraphic
protection with its commit tags.

The stability of the head depends on the policies followed by the developers
and cannot be known by users not intimately involved in the development.  In
any event if there is a tarball most users assume that it represents a more
stable state of the repository than the head and they will tend to use it,
even if they already have a version of the code, instead of cloning the
repository directly.

Git, and its signing key, are high-value targets for the bad guys, even
higher than the kernel itself.  I hope you will give just a moment's thought
to the damage that will be done if bad guys succeed in a DNS poisoning
attack and succeed in passing off a phony git tarball with a back door in
the git code itself to a major code project.  Any code produced in a
repository using that phony version of git can then itself be corrupted.

It is only because kernel.org exercised due diligence in the production of
tags and signatures on all their tarballs that the kernel code itself
withstood their recent intrusion.  I suspect that their signing key was not
so lucky and needs to be changed.  The situation now is really dangerous
with various important projects scattered about, including git, which are
being operated without proper consideration of security.

  reply	other threads:[~2011-09-28 12:36 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-09-27 23:48 Lack of detached signatures Joseph Parmelee
2011-09-28  0:03 ` Junio C Hamano
2011-09-28  0:07   ` Michael Witten
2011-09-28  4:17     ` Olsen, Alan R
2011-09-28  7:41       ` Carlos Martín Nieto
2011-09-28 12:36         ` Joseph Parmelee [this message]
2011-09-28 16:45           ` Junio C Hamano
2011-09-28 16:55             ` Michael Witten
2011-09-28 16:59             ` Matthieu Moy
2011-09-28 22:25             ` Jeff King
2011-09-28 23:09               ` Ted Ts'o
2011-09-29  0:28                 ` Junio C Hamano
2011-09-29  1:59                   ` Ted Ts'o
2011-09-29  3:50                     ` Junio C Hamano
2011-09-29 13:18                       ` Ted Ts'o
2011-09-29 14:40                         ` Sverre Rabbelier
2011-09-29 14:50                           ` Ted Ts'o
2011-09-29 14:52                             ` Sverre Rabbelier
2011-09-29 16:47                         ` Joseph Parmelee
2011-09-29  1:29                 ` Joseph Parmelee
2011-09-29  1:41                 ` Jeff King
2011-09-29 20:31                 ` Olsen, Alan R
2011-09-28 22:40             ` Joseph Parmelee
2011-09-28 17:03       ` Ben Walton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.LNX.2.00.1109280555460.25187@bruno \
    --to=jparmele@wildbear.com \
    --cc=alan.r.olsen@intel.com \
    --cc=cmn@elego.de \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=mfwitten@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox