* gpg verify git sub modules useful?
@ 2017-02-28 15:50 Patrick Schleizer
2017-02-28 17:36 ` Junio C Hamano
0 siblings, 1 reply; 4+ messages in thread
From: Patrick Schleizer @ 2017-02-28 15:50 UTC (permalink / raw)
To: git; +Cc: Whonix-devel
When using git submodules, is there value in iterating about the git
submodules running "git verfiy-commit HEAD" or would that be already
covered by the git submodule verification?
Cheers,
Patrick
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: gpg verify git sub modules useful?
2017-02-28 15:50 gpg verify git sub modules useful? Patrick Schleizer
@ 2017-02-28 17:36 ` Junio C Hamano
2017-03-01 18:28 ` Patrick Schleizer
0 siblings, 1 reply; 4+ messages in thread
From: Junio C Hamano @ 2017-02-28 17:36 UTC (permalink / raw)
To: Patrick Schleizer; +Cc: git, Whonix-devel
Patrick Schleizer <patrick-mailinglists@whonix.org> writes:
> When using git submodules, is there value in iterating about the git
> submodules running "git verfiy-commit HEAD" or would that be already
> covered by the git submodule verification?
That depends on what you are referring to with the "git submodule
verification" and more importantly what threat you are guarding
against. "git -C <submodule-dir> verify-commit HEAD" may make sure
that the contents of that commit object is GPG signed by whoever you
trust--is that what you want to make sure? Or do you want all
commits in the submodule history to be similarly signed because the
tree of the superproject can switch to some other commit there?
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: gpg verify git sub modules useful?
2017-02-28 17:36 ` Junio C Hamano
@ 2017-03-01 18:28 ` Patrick Schleizer
2017-03-01 19:08 ` Stefan Beller
0 siblings, 1 reply; 4+ messages in thread
From: Patrick Schleizer @ 2017-03-01 18:28 UTC (permalink / raw)
To: Junio C Hamano, git; +Cc: Whonix-devel
Good questions, thank you for trying to figure out what I am asking. :)
Junio C Hamano:
> Patrick Schleizer <patrick-mailinglists@whonix.org> writes:
>
>> When using git submodules, is there value in iterating about the git
>> submodules running "git verfiy-commit HEAD" or would that be already
>> covered by the git submodule verification?
>
> That depends on what you are referring to with the "git submodule
> verification"
cd submodule
if ! git verfiy-commit HEAD ; then
error
fi
> and more importantly what threat you are guarding
> against.
All main (non-submodule) (merge) commits and submodule (merge) commits
are signed by me.
1) git --recursive clone main (non-submodule) git repository
2) cd git main repository
3) git verify-commit HEAD or git verify-tag tag-name
4) git submodule update
What if the main (non-submodule) git repository gpg signature was okay
but then after git fetched the submodules these compromised (MITM'ed) ones?
Does the having gpg verified the root (main git repository) ensure that
submodule commits are also quasi verified?
> "git -C <submodule-dir> verify-commit HEAD" may make sure
> that the contents of that commit object is GPG signed by whoever you
> trust--is that what you want to make sure?
> Or do you want all
> commits in the submodule history to be similarly signed because the
> tree of the superproject can switch to some other commit there?
I guess so.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: gpg verify git sub modules useful?
2017-03-01 18:28 ` Patrick Schleizer
@ 2017-03-01 19:08 ` Stefan Beller
0 siblings, 0 replies; 4+ messages in thread
From: Stefan Beller @ 2017-03-01 19:08 UTC (permalink / raw)
To: Patrick Schleizer; +Cc: Junio C Hamano, git@vger.kernel.org, Whonix-devel
On Wed, Mar 1, 2017 at 10:28 AM, Patrick Schleizer
<patrick-mailinglists@whonix.org> wrote:
> Good questions, thank you for trying to figure out what I am asking. :)
>
> Junio C Hamano:
>> Patrick Schleizer <patrick-mailinglists@whonix.org> writes:
>>
>>> When using git submodules, is there value in iterating about the git
>>> submodules running "git verfiy-commit HEAD" or would that be already
>>> covered by the git submodule verification?
>>
>> That depends on what you are referring to with the "git submodule
>> verification"
>
> cd submodule
> if ! git verfiy-commit HEAD ; then
> error
> fi
>
>> and more importantly what threat you are guarding
>> against.
>
> All main (non-submodule) (merge) commits and submodule (merge) commits
> are signed by me.
>
> 1) git --recursive clone main (non-submodule) git repository
> 2) cd git main repository
> 3) git verify-commit HEAD or git verify-tag tag-name
> 4) git submodule update
>
> What if the main (non-submodule) git repository gpg signature was okay
> but then after git fetched the submodules these compromised (MITM'ed) ones?
The signing in Git is just signing the commit hash essentially.
> Does the having gpg verified the root (main git repository) ensure that
> submodule commits are also quasi verified?
That is my understanding. There is no difference between the security of
a file or a submodule, just the way of obtaining and its reporting is different.
Both a file and a submodule are referred to via a hash (currently sha1).
Obtaining a file is implicit whereas obtaining the submodule is explicit.
The reporting (in e.g. git-status) ... depends on a lot of options to be set.
When signing the superproject, you acknowledge the submodules
being in the state as recorded. (Same with s/submodules/files/)
So I am not sure what kind of additional signing you're looking
for in the submodules.
Thanks,
Stefan
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-03-01 19:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-28 15:50 gpg verify git sub modules useful? Patrick Schleizer
2017-02-28 17:36 ` Junio C Hamano
2017-03-01 18:28 ` Patrick Schleizer
2017-03-01 19:08 ` Stefan Beller
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).