On Wed, Sep 07, 2011 at 01:57:27PM -0700, Junio C Hamano wrote: > If a tag is GPG-signed, and if you trust the cryptographic robustness of > the SHA-1 and GPG, you can guarantee that all the history leading to the > signed commit is not tampered with. However, it would be both cumbersome > and cluttering to sign each and every commit. Especially if you strive to > keep your history clean by tweaking, rewriting and polishing your commits > before pushing the resulting history out, many commits you will create > locally end up not mattering at all, and it is a waste of time to sign > them. Thanks to pcloud for including me on the thread. I do find the idea of these push-certificates very interesting and useful, but I think they will do best to augment signed commits, not replace them. There's a couple of related things we've been considering on the Gentoo side: - detached signatures of blobs (either the SHA1 of the blob or the blob itself) - The signature covering the message+blob details, but NOT the chain of history: this opens up the ability to cherry-pick and rebase iff there are no conflicts and the blobs are identical, all while preserving the signature. - concerns about a pre-image attack against Git. tl;dr version: 1. Attacker prepares decoy file in advance, that hashes to the same as the malicious file. 2. Attacker sends decoy in as an innocuous real commit. 3. Months later, the attacker breaks into the system and alters the packfile to include the new malicious file. 4. All new clones from that point forward get the malicious version. Re your comment on always needing to resign commits above, we'd been considering post-signing commits, not when they are initially made. After your commit is clean and ready to ship, you can fire the commit ids into the signature tool, which can generate a detached signature note for each commit. -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robbat2@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85