I've just been looking at the code and I see what looks like a (minor)
security hole in the verify-tag feature. In particular, the tag
verification code doesn't check that the tag is signed by the same
user that created the tag. To be fair, gpg does output the identity
of the key that created the signature as well as the key used to
create the signature, so an astute user could detect that some
shenanigans is going on.
An attack would simply require getting one's own public key into the
keyring of a user. This probably wouldn't be very easy at the moment,
but if people were to actually use encrypted email (and if they set
their mail agents to download public keys), it might require no more
then sending a signed email to a mailing list.
Of course, you'd also somehow have to trick them into pulling (or
cloning) your corrupt tag, which probably requires compromising a
server (or mirror) somewhere. But of course, the whole point of
signing tags is to eliminate precisely this danger.
What should be done about this? First, there ought to be a feature to
limit git verify-tag to use a specific keyring. Maybe there is an
environment variable, and it's just not documented in the man page?
It would also seem like a good idea to at a minimum check that the
name/email associated with the signature is the same as that of the
tagger. This doesn't gain you *too* much, since an attacker can
always create his own key with any name and email he likes, but at
least it means that users could feel safe adding keys to their public
keyring, as long as those keys have reasonable names/emails associated
with them, and as long as they run git show on a tag before trusting
that that tag came from a particular person. i.e. it seems reasonable
for me to expect that if I run:
$ git show v1.0
tag v1.0
Tagger: Linus Torvalds ...
...
[user carefully reads the Tagger line...]
$ git verify-tag v1.0 && make
That I won't be running make on a repository that wasn't signed by a
key that at least *claims* to belong to Linus Torvalds.
Thoughts?
--
David Roundy
mkdir temp
cd temp
git init
Initialized empty Git repository in /tmp/temp/.git/
date > foo
git add foo
export GIT_AUTHOR_NAME="Someone else"
export GIT_AUTHOR_EMAIL="notme@xxxxxxxxxxx"
export GIT_COMMITTER_NAME="Linus Torvalds"
export GIT_COMMITTER_EMAIL="linus@xxxxxxxxxxx"
git commit -m 'hello world'
Created initial commit dc3b7e9: hello world
1 files changed, 1 insertions(+), 0 deletions(-)
create mode 100644 foo
git tag -u droundy -m foo v1.0
gpg: Invalid passphrase; please try again ...
gpg: Invalid passphrase; please try again ...
git verify-tag v1.0
gpg: Signature made Tue 24 Nov 2009 11:41:49 AM EST using DSA key ID D3D5BCEC
gpg: Good signature from "David Roundy <roundyd@xxxxxxxxxxxxxxxxxxxxxxx>"
gpg: aka "David Roundy <droundy@xxxxxxxxx>"
gpg: aka "David Roundy <droundy@xxxxxxxxxxxxxxx>"
gpg: aka "David Roundy <daveroundy@xxxxxxxxx>"
git show v1.0
tag v1.0
Tagger: Linus Torvalds <linus@xxxxxxxxxxx>
Date: Tue Nov 24 11:41:49 2009 -0500
foo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEABECAAYFAksMDM0ACgkQQ6uZI9PVvOyXFQCgoc4UYfNFYzVH4HduLdh9VUc/
NSkAn05yr/ARnWGUC8I/OmjhZJEjG5Oa
=ro48
-----END PGP SIGNATURE-----
commit dc3b7e9f8f5c49bdfe8816abdb4bb392c30e3ef5
Author: Someone else <notme@xxxxxxxxxxx>
Date: Tue Nov 24 11:41:49 2009 -0500
hello world
diff --git a/foo b/foo
new file mode 100644
index 0000000..c1857fa
--- /dev/null
+++ b/foo
@@ -0,0 +1 @@
+Tue Nov 24 11:41:49 EST 2009