| 1 |
On 11 August 2015 at 15:44, Matthias Maier <tamiko@g.o> wrote: |
| 2 |
> |
| 3 |
> No, a signed tag verifies that the whole integrirty of the entire |
| 4 |
> repository, whereas a signed commit only authenticates the differences |
| 5 |
> introduced by a single commit. |
| 6 |
|
| 7 |
|
| 8 |
git tag -s test |
| 9 |
|
| 10 |
cat ./.git/refs/tags/test |
| 11 |
456d216e3d1894d62429daf0ec482c3afb087dbe |
| 12 |
|
| 13 |
git cat-file tag 456d216e3d1894d62429daf0ec482c3afb087dbe |
| 14 |
object 9ca77ee7f72902e4e89456ff560a670465969603 |
| 15 |
type commit |
| 16 |
tag test |
| 17 |
tagger Kent Fredric <kentfredric@×××××.com> 1439264837 +1200 |
| 18 |
|
| 19 |
A test tag |
| 20 |
-----BEGIN PGP SIGNATURE----- |
| 21 |
Version: GnuPG v2 |
| 22 |
|
| 23 |
iQIcBAABCAAGBQJVyXBKAAoJEOhUMksTZqgg2/kP/iCXS12W57RB2wPQHgebgSpK |
| 24 |
86zXXvXC5rqndTmGwOmYA9FcO/n2u+SMwk0ZGol9LWuvkKaW/6Wi/vzvG24lggWy |
| 25 |
GxKRQTNHPXVHxwPQZOhj6fwS9EkC3rCSMWv82qLrbXvBqsH/dLXymq2nl+YDEGi1 |
| 26 |
lLkDWkX7EYWA6sgdnDhNzjPaHVC9P5qP1JDZOrKY0Qzm9JBDMl0xO9/faITrBMDi |
| 27 |
BmVVHNELKQ9uN8BYxmQfHqUFKO2SWXFbqJftQ6LqpXmFHWDpasmY3gTMczPpQ47I |
| 28 |
le+LPo0tT3Yk0fhBc8uk0/69kaHMa5hMmBPHuHh5ANWLPpxSyiDzCqqS9i8wPB+M |
| 29 |
MONhAoVyLYaFUf62fBxa6kxKDdQuC5JRYjeiFs60k1uG/QI4OhjoIbbaaxJxQ0sy |
| 30 |
45iZ3PBlVxbgxkpPRJtftr9PJBMDabekZbI5F6jX7S+x6G40O4ss1W1QnXsdFvqd |
| 31 |
vJvVdIdnrGqu/6JXZpz2J65N3HfMqfj9PHNDJaxM6da6+z6HQ3JwvNSVum8dAaJn |
| 32 |
jKoisQ7bEuXl2WOj5SCfAqjtOUp2pbYJCCb5QVHWuHCk53cvcY6FmGQPEzj42uVQ |
| 33 |
bKSYGaJ3637t+NPysinifQv1HTfViP7lh/O3znsGj7qcm6DXGnHvkp84LFch6yiY |
| 34 |
/oFbaDvWZ8zKyMSAJ9Ou |
| 35 |
=Ieic |
| 36 |
-----END PGP SIGNATURE----- |
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
git cat-file tag 456d216e3d1894d62429daf0ec482c3afb087dbe > /tmp/sigfile |
| 41 |
cp /tmp/sigfile /tmp/sigfile.asc |
| 42 |
|
| 43 |
*edits both so sigfile has content, and asc file has signature* |
| 44 |
|
| 45 |
|
| 46 |
gpg --verify /tmp/sigfile.asc |
| 47 |
gpg: enabled debug flags: memstat |
| 48 |
gpg: assuming signed data in '/tmp/sigfile' |
| 49 |
gpg: Signature made Tue Aug 11 15:47:22 2015 NZST |
| 50 |
gpg: using RSA key E854324B1366A820 |
| 51 |
gpg: Good signature from "Kent Fredric (GMail) |
| 52 |
<kentfredric@×××××.com>" [unknown] |
| 53 |
gpg: aka "Kent Fredric (CPAN Author) |
| 54 |
<kentnl@××××.org>" [unknown] |
| 55 |
gpg: WARNING: This key is not certified with a trusted signature! |
| 56 |
gpg: There is no indication that the signature belongs to the owner. |
| 57 |
Primary key fingerprint: 3D96 B36C 8FEA AC54 F5A3 DAE7 E854 324B 1366 A820 |
| 58 |
gpg: keydb: kid_not_found_table: total: 1 |
| 59 |
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 |
| 60 |
outmix=0 getlvl1=0/0 getlvl2=0/0 |
| 61 |
gpg: secmem usage: 0/65536 bytes in 0 blocks |
| 62 |
|
| 63 |
|
| 64 |
^^ - so its clear the signature is only on the tag data itself. |
| 65 |
|
| 66 |
And what does the tag refer to? |
| 67 |
|
| 68 |
object 9ca77ee7f72902e4e89456ff560a670465969603 |
| 69 |
|
| 70 |
What is that? |
| 71 |
|
| 72 |
|
| 73 |
git cat-file -t 9ca77ee7f72902e4e89456ff560a670465969603 |
| 74 |
commit |
| 75 |
|
| 76 |
|
| 77 |
So how is GPG verifying "The whole repository" ? |
| 78 |
|
| 79 |
-- |
| 80 |
Kent |
| 81 |
|
| 82 |
KENTNL - https://metacpan.org/author/KENTNL |
Archives