Re: Question about git signed tags

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bob Hepple wrote:
> If we _do_ support "signed git tags" how do we code for it in the spec
> file?

As the builders lack Internet access, they can't pull directly from the
upstream Git repository. To verify a signed Git tag during the build,
it would be necessary to package up the whole Git repository (or enough
of it to include the source code, the tag and the signature) and upload
that instead of the source tarball. Then I suppose you would unpack the
repository in %prep and run some Git command to verify the signature,
probably "git verify-tag" which is described as "check the GPG signature
of tags".

gpgverify uses the command gpgv instead of gpg. It's a simplified
verification method that fits this usecase better. If Git calls gpg and
expects to find a keyring in the user's home directory, then you'd have
to write the spec to prepare a suitable keyring, ensure that GnuPG will
find that and no other keyring, and tell it to trust the correct key.
It's far from trivial to get that right and secure.

I'm not aware of any tooling for this other than gpgverify, so I
suppose the answer is that Fedora does not support signed Git tags.

It should also be noted that with gpgverify we verify the signature
before we unpack the tarball. If a malicious tarball tries to attack
some vulnerability in Tar or Gzip, then either the verification will
fail and stop the build before the attack gets a chance to work, or else
the tarball was already malicious when the upstream developer signed it.
With Git I don't know how we could avoid unpacking the repository
archive before we verify the signed tag.

As to why the builders lack Internet access, I wasn't around when that
was decided but it helps ensure that the source RPM packages actually
contain the source code.

Björn Persson

Attachment: pgpQ0kd1j7jPB.pgp
Description: OpenPGP digital signatur

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux