1 |
On Thu, Aug 25, 2011 at 12:23:40AM -0400, Mike Frysinger wrote: |
2 |
> On Monday, August 22, 2011 15:28:57 Robin H. Johnson wrote: |
3 |
> > Unresolved items: |
4 |
> > - commit signing |
5 |
> > - thin Manifests |
6 |
> how exactly are these two supposed to interact ? the previous discussion |
7 |
> seemed to miss signing. if devs sign the thin manifests, when we go to |
8 |
> produce the full manifest for rsync, we invalidate the signature. |
9 |
Thin Manifests are not going to be explicitly signed like the current |
10 |
signatures. |
11 |
|
12 |
To summarize this better: |
13 |
1. Thin Manifests contain DIST lines, and _nothing_ else. |
14 |
1.1. Specifically: no signatures, and esp. not any other files that |
15 |
appear in Git. |
16 |
2. Commits (or pushes [1]) are signed going into Git. |
17 |
2.1. Non-signed commits/pushes are REJECTED by git-receive-pack on the |
18 |
server-side. |
19 |
3. Git->rsync build phase: |
20 |
3.1. Verify all commit signatures. |
21 |
3.2. Add metadata and other files. |
22 |
3.3. Build thick Manifests. |
23 |
3.4. Produce new signatures for Manifests. |
24 |
3.5. MetaManifest? |
25 |
|
26 |
> the other attack we want to prevent is MITM when people sync. in this case, |
27 |
> someone who syncs over git:// is perpetually vulnerable with thin manifests as |
28 |
> the attacker can keep recomputing the collisions so that the modified tree |
29 |
> keeps ending up with the same digests as the public one. and the end user |
30 |
> never notices without manually reviewing everything themselves. |
31 |
I don't follow this attack. The commits are signed, and the git:// user |
32 |
can verify them. |
33 |
|
34 |
> well, it sort of does. sha1 has been shown to be weaker than brute forcing, |
35 |
... |
36 |
> talking about migrating away from it. and now in 2012, we want to talk about |
37 |
> migrating purely to it ? |
38 |
RESO UPSTREAM(git). It looks like Git will probably migrate to whatever |
39 |
hash wins the SHA-3 contest. |
40 |
|
41 |
Footnotes: |
42 |
[1] Current state of commit signing, 2011/09/13 05:00 UTC |
43 |
There's a variation of commit signing presently being actively discussed |
44 |
on the Git mailing list. It's making a LOT more progress than previous |
45 |
signing discussions. Rather than signing blobs or commits directly, it's |
46 |
actually signing pushes (which include the SHA1's of commits and thus |
47 |
blobs). I'm personally concerned it's going to still be vulnerable to |
48 |
the collision/pre-image attacks, but it's much better than no signing |
49 |
(one of the attacks suggested against my SHA1-workaround signing was to |
50 |
subvert the note that my signature was being stored in). |
51 |
|
52 |
-- |
53 |
Robin Hugh Johnson |
54 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
55 |
E-Mail : robbat2@g.o |
56 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |