1 |
On 11 August 2015 at 15:44, Matthias Maier <tamiko@g.o> wrote: |
2 |
> |
3 |
> No, a signed tag verifies that the whole integrirty of the entire |
4 |
> repository, whereas a signed commit only authenticates the differences |
5 |
> introduced by a single commit. |
6 |
|
7 |
|
8 |
git tag -s test |
9 |
|
10 |
cat ./.git/refs/tags/test |
11 |
456d216e3d1894d62429daf0ec482c3afb087dbe |
12 |
|
13 |
git cat-file tag 456d216e3d1894d62429daf0ec482c3afb087dbe |
14 |
object 9ca77ee7f72902e4e89456ff560a670465969603 |
15 |
type commit |
16 |
tag test |
17 |
tagger Kent Fredric <kentfredric@×××××.com> 1439264837 +1200 |
18 |
|
19 |
A test tag |
20 |
-----BEGIN PGP SIGNATURE----- |
21 |
Version: GnuPG v2 |
22 |
|
23 |
iQIcBAABCAAGBQJVyXBKAAoJEOhUMksTZqgg2/kP/iCXS12W57RB2wPQHgebgSpK |
24 |
86zXXvXC5rqndTmGwOmYA9FcO/n2u+SMwk0ZGol9LWuvkKaW/6Wi/vzvG24lggWy |
25 |
GxKRQTNHPXVHxwPQZOhj6fwS9EkC3rCSMWv82qLrbXvBqsH/dLXymq2nl+YDEGi1 |
26 |
lLkDWkX7EYWA6sgdnDhNzjPaHVC9P5qP1JDZOrKY0Qzm9JBDMl0xO9/faITrBMDi |
27 |
BmVVHNELKQ9uN8BYxmQfHqUFKO2SWXFbqJftQ6LqpXmFHWDpasmY3gTMczPpQ47I |
28 |
le+LPo0tT3Yk0fhBc8uk0/69kaHMa5hMmBPHuHh5ANWLPpxSyiDzCqqS9i8wPB+M |
29 |
MONhAoVyLYaFUf62fBxa6kxKDdQuC5JRYjeiFs60k1uG/QI4OhjoIbbaaxJxQ0sy |
30 |
45iZ3PBlVxbgxkpPRJtftr9PJBMDabekZbI5F6jX7S+x6G40O4ss1W1QnXsdFvqd |
31 |
vJvVdIdnrGqu/6JXZpz2J65N3HfMqfj9PHNDJaxM6da6+z6HQ3JwvNSVum8dAaJn |
32 |
jKoisQ7bEuXl2WOj5SCfAqjtOUp2pbYJCCb5QVHWuHCk53cvcY6FmGQPEzj42uVQ |
33 |
bKSYGaJ3637t+NPysinifQv1HTfViP7lh/O3znsGj7qcm6DXGnHvkp84LFch6yiY |
34 |
/oFbaDvWZ8zKyMSAJ9Ou |
35 |
=Ieic |
36 |
-----END PGP SIGNATURE----- |
37 |
|
38 |
|
39 |
|
40 |
git cat-file tag 456d216e3d1894d62429daf0ec482c3afb087dbe > /tmp/sigfile |
41 |
cp /tmp/sigfile /tmp/sigfile.asc |
42 |
|
43 |
*edits both so sigfile has content, and asc file has signature* |
44 |
|
45 |
|
46 |
gpg --verify /tmp/sigfile.asc |
47 |
gpg: enabled debug flags: memstat |
48 |
gpg: assuming signed data in '/tmp/sigfile' |
49 |
gpg: Signature made Tue Aug 11 15:47:22 2015 NZST |
50 |
gpg: using RSA key E854324B1366A820 |
51 |
gpg: Good signature from "Kent Fredric (GMail) |
52 |
<kentfredric@×××××.com>" [unknown] |
53 |
gpg: aka "Kent Fredric (CPAN Author) |
54 |
<kentnl@××××.org>" [unknown] |
55 |
gpg: WARNING: This key is not certified with a trusted signature! |
56 |
gpg: There is no indication that the signature belongs to the owner. |
57 |
Primary key fingerprint: 3D96 B36C 8FEA AC54 F5A3 DAE7 E854 324B 1366 A820 |
58 |
gpg: keydb: kid_not_found_table: total: 1 |
59 |
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 |
60 |
outmix=0 getlvl1=0/0 getlvl2=0/0 |
61 |
gpg: secmem usage: 0/65536 bytes in 0 blocks |
62 |
|
63 |
|
64 |
^^ - so its clear the signature is only on the tag data itself. |
65 |
|
66 |
And what does the tag refer to? |
67 |
|
68 |
object 9ca77ee7f72902e4e89456ff560a670465969603 |
69 |
|
70 |
What is that? |
71 |
|
72 |
|
73 |
git cat-file -t 9ca77ee7f72902e4e89456ff560a670465969603 |
74 |
commit |
75 |
|
76 |
|
77 |
So how is GPG verifying "The whole repository" ? |
78 |
|
79 |
-- |
80 |
Kent |
81 |
|
82 |
KENTNL - https://metacpan.org/author/KENTNL |