Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-scm
Navigation:
Lists: gentoo-scm: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-scm@g.o
From: "Robin H. Johnson" <robbat2@g.o>
Subject: Re: Git gpg commit signing
Date: Fri, 2 Sep 2011 22:58:51 +0000
On Sat, Sep 03, 2011 at 01:41:09AM +0300, Alexey Shvetsov wrote:
> Hi all!
> 
> Seems rsbac alive again and its people created a repo with git gpg 
> related things [1]
> 
> [1] http://git.rsbac.org/cgi-bin/gitweb.cgi?p=git-gpg.git;a=summary
What this does provide, despite the vulnerability I noted in the other
email, is a good framework for handling the signatures.

To defeat the attack I mentioned before, the signatures need to cover:
1. git cat-file commit $commitid |egrep -v '^(tree|parent|commiter)'
2. git diff-tree --no-commit-id -r --raw $commitid
2.1. Grab all of the blobid's from the 4th column.
3. "git show $blobid" for each blobid from #2.1

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@g.o
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85


References:
Git gpg commit signing
-- Alexey Shvetsov
Navigation:
Lists: gentoo-scm: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Preimage attack against Git/RSBAC commit signing Was: Git gpg commit signing
Next by thread:
[gitster@...: [Survey] Signed push]
Previous by date:
Preimage attack against Git/RSBAC commit signing Was: Git gpg commit signing
Next by date:
Re: Re: [gentoo-dev] Progress on cvs->git migration


Updated May 23, 2012

Summary: Archive of the gentoo-scm mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.