Gentoo Linux -- List Archive: gentoo-scm

Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647

List Archive: gentoo-scm

Navigation:

Lists: gentoo-scm: < Prev By Thread Next > < Prev By Date Next >

Headers:

To:	gentoo-scm@g.o
From:	"Robin H. Johnson" <robbat2@g.o>
Subject:	Re: Git gpg commit signing
Date:	Fri, 2 Sep 2011 22:58:51 +0000

On Sat, Sep 03, 2011 at 01:41:09AM +0300, Alexey Shvetsov wrote:
> Hi all!
> 
> Seems rsbac alive again and its people created a repo with git gpg 
> related things [1]
> 
> [1] http://git.rsbac.org/cgi-bin/gitweb.cgi?p=git-gpg.git;a=summary
What this does provide, despite the vulnerability I noted in the other
email, is a good framework for handling the signatures.

To defeat the attack I mentioned before, the signatures need to cover:
1. git cat-file commit $commitid |egrep -v '^(tree|parent|commiter)'
2. git diff-tree --no-commit-id -r --raw $commitid
2.1. Grab all of the blobid's from the 4th column.
3. "git show $blobid" for each blobid from #2.1

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@g.o
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

References:

Git gpg commit signing
-- Alexey Shvetsov

Navigation:

Lists: gentoo-scm: < Prev By Thread Next > < Prev By Date Next >

Previous by thread:

Preimage attack against Git/RSBAC commit signing Was: Git gpg commit signing

Next by thread:

[gitster@...: [Survey] Signed push]

Previous by date:

Preimage attack against Git/RSBAC commit signing Was: Git gpg commit signing

Next by date:

Re: Re: [gentoo-dev] Progress on cvs->git migration

Updated May 23, 2012

Summary: Archive of the gentoo-scm mailing list.

Donate to support our development efforts.