Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-scm
Navigation:
Lists: gentoo-scm: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-scm@g.o
From: "Robin H. Johnson" <robbat2@g.o>
Subject: Re: gpg signing of commits, was: Progress summary, 2009/06/01
Date: Fri, 5 Jun 2009 11:54:16 -0700
On Fri, Jun 05, 2009 at 02:59:18PM +0200, Robert Buchholz wrote:
> On Tuesday 02 June 2009, Robin H. Johnson wrote:
> > - Review commit signing
> >   - pclouds (a former Gentoo dev) contributed this prototype:
> > 	http://thread.gmane.org/gmane.comp.version-control.git/115562/focus=
> >118788 - I'm not entirely convinced the above is right, as the commit
> > message seems to end up unsigned.
> I was wondering why we need GPG signing of commits at all. I was 
> thinking about the following two arguments:
The commit signing I'm after is so that we can be absolutely certain who
introduced a given commit to the tree (who committed, AND who pushed the
merge/fast-forward), and have that information distributed inside the
tree.

This is related to the push logging issue, if you've seen the
discussions on tracking who committed vs. who pushed.

> 0. Intro
> git stores the SHA1 hashes of objects and one can check for errors in 
> the transmission or on the disk. This makes the (unsigned) Manifest 
> parts unnecessary. Commit signing is the equivalent of Manifest file 
> signing we have right now.
Yes, it's the replacement for the existing Manifest signing. The point
of that is proof of origin from developer BACK to infra.


> 1. It's not needed for tree signing
> The tree signing GLEP does not require signing of either commits or 
> Manifests. It relies on the main infra repository is not being 
> compromised.
That's the external distribution portion of tree signing: infra -> world
It's unrelated to the problem at hand within Git.

> 2. It is not well designed (cryptographically)
> OpenGPG allows the usage of a set of cryptographic hash function to sign 
> a document. This allows people to switch to a different function once 
> attacks against one algorithm become known. This has been recently seen 
> with SHA-1: http://www.debian-administration.org/users/dkg/weblog/48
I only stated that we need to offer GPG signing of commits. I did NOT
specify the content of commits, other than noting that the commit
message and the content needs to be signed together.

> The git signing, however, relies on the collision resistance of SHA-1 as 
> that algorithm is used to identify objects in the repository. We cannot 
> migrate away from it easily. This has been discussed upstream at length 
> and Linus pointed out that 'the "signed tags" security does depend on 
> the hashes being cryptographically strong.':
> http://thread.gmane.org/gmane.comp.version-control.git/26106/focus=26125
The collision is going to come along anyway. 

Resigning would have to be done regardless of what we sign in Git.
Not sure if you followed more recent discussions than one in 2006.
The entire Git foodchain will suffer when it comes time to migrate away
from SHA-2. Presently discussions of it imply that it's to be done
probably as a versioned change, after the NIST hash competition comes up
with a viable answer.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@g.o
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85
Attachment:
pgpsvYL2wP8LS.pgp (PGP signature)
Replies:
Re: gpg signing of commits, was: Progress summary, 2009/06/01
-- Robert Buchholz
References:
Progress summary, 2009/06/01
-- Robin H. Johnson
gpg signing of commits, was: Progress summary, 2009/06/01
-- Robert Buchholz
Navigation:
Lists: gentoo-scm: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
gpg signing of commits, was: Progress summary, 2009/06/01
Next by thread:
Re: gpg signing of commits, was: Progress summary, 2009/06/01
Previous by date:
gpg signing of commits, was: Progress summary, 2009/06/01
Next by date:
Re: Progress summary, 2009/06/01


Updated Jun 17, 2009

Summary: Archive of the gentoo-scm mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.