From: Daniel Kahn Gillmor <dkg@fifthhorseman•net>
To: git@vger•kernel.org
Subject: git tag -v should verify that the tag signer intended the same tag name as the user is verifying
Date: Wed, 20 Mar 2019 08:24:46 -0400 [thread overview]
Message-ID: <875zsdu41d.fsf@fifthhorseman.net> (raw)
[-- Attachment #1: Type: text/plain, Size: 2342 bytes --]
Hi git folks--
I understand that git tags can be easily renamed. for example:
git tag push origin refs/tags/v0.0.3:refs/tags/v2.3.4
However, for tags signed with any recent version of git, the tag name is
also included in the signed material:
0 dkg@test:~$ git tag -v v0.0.3
object 8ae6a246bef5b5eb0684e9fc1c933a4f8441dadd
type commit
tag v0.0.3
tagger Daniel Kahn Gillmor <dkg@fifthhorseman•net> 1528706225 +0200
this is my tag message
gpg: Signature made Mon 11 Jun 2018 04:37:05 AM EDT
gpg: using Ed25519 key C90E6D36200A1B922A1509E77618196529AE5FF8
gpg: Good signature from "Daniel Kahn Gillmor <dkg@fifthhorseman•net>" [ultimate]
Primary key fingerprint: C4BC 2DDB 38CC E964 85EB E9C2 F206 9117 9038 E5C6
0 dkg@test:~$
But git tag doesn't verify that the internal name is the same as the
external name (note that it still returns an exit code of zero):
0 dkg@test:~$ git tag -v v2.3.4
object 8ae6a246bef5b5eb0684e9fc1c933a4f8441dadd
type commit
tag v0.0.3
tagger Daniel Kahn Gillmor <dkg@fifthhorseman•net> 1528706225 +0200
this is my tag message
gpg: Signature made Mon 11 Jun 2018 04:37:05 AM EDT
gpg: using Ed25519 key C90E6D36200A1B922A1509E77618196529AE5FF8
gpg: Good signature from "Daniel Kahn Gillmor <dkg@fifthhorseman•net>" [ultimate]
Primary key fingerprint: C4BC 2DDB 38CC E964 85EB E9C2 F206 9117 9038 E5C6
0 dkg@test:~$
This seems troublesome, as I expect there are many scripts that rely on
the tag name and the return code of "git tag -v" to assert that this is
a correct tag. Anyone in control of the above repository could pass off
an old tag (or indeed, a tag from an entirely different project that
happens to be signed by the same author) as whatever version they wanted
to, and convince automated scripts that work with new versions to
"upgrade".
I think "git tag -v" should be more strict about what it needs to "pass"
a verification.
At a minimum, if the internal tag name (the line matching "^tag " before
the first blank line) doesn't match the tag name being verified, "git
tag -v" should report a warning to stderr and return a non-zero error
code.
What do you think?
i'm not subscribed to git@vger•kernel.org, so please keep me in Cc on
this thread, thanks!
--dkg
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
next reply other threads:[~2019-03-20 12:33 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-20 12:24 Daniel Kahn Gillmor [this message]
2019-03-20 14:20 ` git tag -v should verify that the tag signer intended the same tag name as the user is verifying Santiago Torres Arias
2019-03-20 22:00 ` Daniel Kahn Gillmor
2019-03-20 22:35 ` Ævar Arnfjörð Bjarmason
2019-03-22 4:00 ` Daniel Kahn Gillmor
2019-03-24 14:55 ` Ævar Arnfjörð Bjarmason
2019-03-21 1:21 ` Junio C Hamano
2019-03-21 1:31 ` Junio C Hamano
2019-03-21 11:43 ` Ævar Arnfjörð Bjarmason
2019-03-22 5:19 ` Daniel Kahn Gillmor
2019-03-24 12:26 ` Junio C Hamano
2019-03-24 15:07 ` Daniel Kahn Gillmor
2019-03-25 2:27 ` Junio C Hamano
2019-03-26 17:35 ` Daniel Kahn Gillmor
2019-03-26 18:40 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=875zsdu41d.fsf@fifthhorseman.net \
--to=dkg@fifthhorseman$(echo .)net \
--cc=git@vger$(echo .)kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox