From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Jonathan Nieder <jrnieder@gmail.com>
Cc: git@vger.kernel.org
Subject: Re: how to (integrity) verify a whole git repo
Date: Tue, 21 Apr 2020 16:42:16 +0200 [thread overview]
Message-ID: <be69ed1bade98cb7e414c2713fe0d6b5cadd7172.camel@scientia.net> (raw)
In-Reply-To: <20200421065301.GH96152@google.com>
Hey Jonathan.
On Mon, 2020-04-20 at 23:53 -0700, Jonathan Nieder wrote:
> This happens automatically as part of fetch. When you fetch, the
> objects' content is transfered over the wire but not their
> names. The
> name of each object is a hash of its content. Thus, whenever you
> address an object by its name, you are using its verified identity.
Okay maybe I wasn't clear enough :D (mixing up integrity and
authenticity).
I'd guess that what you describe here is, that effectively the chain of
all SHA1 hashes is computed when one does fetch, right?
But this alone doesn't guarantee cryptographic authenticity, e.g. as in
"that's the kernel sources as released by Linus".
> Tag and commit object content include the object ids for the objects
> they reference, so (assuming we are using a strong hash) their name
> is enough to verify all content reachable from them.
>
> In other words, it's a Merkle tree.
And for (cryptographically) checking the authenticity of that tree,
wouldn't I need to verify the signatures on it's leaves?
Taking again the kernel as an example:
If I clone the repo (or fsck it later), than all I know is that there
was no corruption, if the all the tips are correct, since they start
the chain of hash sums to all other objects.
But an attacker could have just forged these tips.
So for checking authenticity, I need to verify some signatures on them
Now if I check e.g. Linus signature on tag v5.6; I should know that
everything earlier (in the tree, not chronologically) to that tag are
authentic.
But not e.g. any commits on top of v.5.6 (which aren't either signed
themselves or protected by another tag "above" them).
Neither any commits never reached from v.5.6, e.g. later stable patches
like anything from above v.5.5 (which is again below v.5.6) up to
v.5.5.13, which is not.
So from my understanding, to use only commits that are authentic by the
kernel upstream developers, I'd need verify all these tips.. and throw
away everything which is not reachable by one of them.
Is that somehow possible?
Thanks,
Chris.
next prev parent reply other threads:[~2020-04-21 14:42 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-21 4:45 how to (integrity) verify a whole git repo Christoph Anton Mitterer
2020-04-21 6:53 ` Jonathan Nieder
2020-04-21 14:42 ` Christoph Anton Mitterer [this message]
2020-04-21 16:19 ` Konstantin Ryabitsev
2020-04-23 18:12 ` Christoph Anton Mitterer
2020-04-21 19:14 ` Junio C Hamano
2020-04-23 4:02 ` Christoph Anton Mitterer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=be69ed1bade98cb7e414c2713fe0d6b5cadd7172.camel@scientia.net \
--to=calestyo@scientia.net \
--cc=git@vger.kernel.org \
--cc=jrnieder@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).