[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: please use signed git commits (and tags)

On 26 May 2015 at 19:25, Vincent Bernat <bernat@debian.org> wrote:
>  ❦ 26 mai 2015 14:38 -0300, Henrique de Moraes Holschuh <hmh@debian.org> :
>
>>> A solution to this without history rewriting is to tag the commits you
>>> want to sign.
>>>
>>> You could tag any commit at any time, and sign that tag. Impractical if
>>> you want to retroactively sign a huge swathe of commits, but not bad if you
>>> want to retroactively sign a handful of releases, say.
>>
>> Just remember to have a meaningful comment/message for the signed tag,
>> because it can be duplicated/renamed at will.
>
> Doesn't it cover the SHA1 sum?

That's partially correct. Whilst one cannot modify the sha1 of the tag
object (and hence the sha1 of the commit it reffers to) nor the
message in the tag object, one can rename the tag object itself, or
more precisely the name used to refer to said object.

I can publish v4.1 signed tag, which in-fact has a message v3.18 and
referrers to the v3.18 commit of e.g. linux git tree. The original tag
signature of v3.18 will validate.

Because the ref name can point to anything. Hence newer git has
support for gpg signed pushes to audit who pushed v3.18 object under
v4.1 ref name.

-- 
Regards,

Dimitri.
Reply to: