From: Junio C Hamano <gitster@pobox.com>
To: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Cc: git@vger.kernel.org
Subject: Re: Is git clone followed by git verify-tag meaningful?
Date: Wed, 28 Aug 2019 20:41:02 -0700 [thread overview]
Message-ID: <xmqq36hk1vw1.fsf@gitster-ct.c.googlers.com> (raw)
In-Reply-To: <20190828203224.GE26001@chatter.i7.local> (Konstantin Ryabitsev's message of "Wed, 28 Aug 2019 16:32:24 -0400")
Konstantin Ryabitsev <konstantin@linuxfoundation.org> writes:
> If I know that a project uses tag signing, would "git clone" followed
> by "git verify-tag" be meaningful without a "git fsck" in-between?
> I.e. if an attacker has control over the remote server, can they sneak
> in any badness into any of the resulting files and still have the
> clone, checkout, and verify-tag return success unless the repository
> is fsck'd before verify-tag?
>
> I assume that it would break during the checkout stage, but I wanted
> to verify my assumptions.
What you are trusting and what you are trying to protect?
I am assuming that you are cloning and a commit that has a signed
tag is at the tip of the default branch, which gets checked out and
you want to make sure that what you see in the working tree after
checkout is healthy. I also assume that you trust your local
machine, its Git and GPG binary included, and also you trust that
the underlying hash function Git uses has not been exploited for
this particular repository.
verify-tag would tell you that the tag you specify is signed by
which GPG key you have in your keychain. Since tag records the
commit object name, you can check it against the HEAD. As long
as you trust the underlying hash function and your local Git,
the trust flows from the HEAD's commit object name down to each
and every file checked out to the working tree. As long as you
did not get any error from checkout, no fsck is needed here.
If your project is high-valued target like the Linux kernel, it is
probably a good idea to enable fetch.fsckobjects so that the
incoming objects are automatically checked while receiving over the
wire.
prev parent reply other threads:[~2019-08-29 3:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-28 20:32 Is git clone followed by git verify-tag meaningful? Konstantin Ryabitsev
2019-08-28 23:27 ` brian m. carlson
2019-08-28 23:47 ` Jeff King
2019-08-29 13:34 ` Konstantin Ryabitsev
2019-08-29 14:10 ` Jeff King
2019-08-29 3:41 ` Junio C Hamano [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqq36hk1vw1.fsf@gitster-ct.c.googlers.com \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=konstantin@linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).