Re: tag2upload (git-debpush) service architecture - draft
On 02/08/2019 19:09, Ian Jackson wrote:
Sam Hartman writes ("Re: tag2upload (git-debpush) service architecture - draft"):
Can you outline how to get from the dsc to a verification of the tag
signature without contacting the dgit server?
Sure.
Split the tag object daa at the relevant ----- boundary. This gives
you 1. an unsigned tag data file (first half) 2. a detached armoured
PGP signature (second half). Feed that pair to gpgv (with appropriate
keyrings etc.). That's it.
That only verifies that that user signed *something*, not what contents
they signed. To do that, you need to include both the tag object and
the commit object: the tree objects (i.e. lists of file/subtree hashes)
can be reconstructed from the files.
Also, in current git this package contents check is relying on SHA-1,
unless you put an extra hash in the tag message.
You can think of Git's hashes as like Debian's .dsc/.changes but with
more levels:
Git [0]: file -> tree ( -> tree...) -> commit -> tag
(One file hash per file ("blob"), one tree object per directory. Not
shown and not important here: each commit also has a hash of its parent
commit(s))
Debian: tarball -> .dsc -> .changes
(Tarball hashed as a whole. Not shown: tarball also directly linked to
.changes.)
Verification would then be:
- check PGP signature on tag object
- check that the commit object has the hash listed in the tag object
- unpack source package tarball(s) (since you don't yet know they're the
right ones, you need to trust the tool you do this with to not be
vulnerable to malicious content, and be prepared to reject an
overly-large tarball as a DoS attack)
- create tree hashes ('git init' in the top level of the source package
is probably the easiest way to do this)
- check that the top-level tree object has the hash listed in the commit
object
[0] https://git-scm.com/book/en/v2/Git-Internals-Git-References
Reply to: