RE: Lack of detached signatures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2011-09-28 at 04:17 +0000, Olsen, Alan R wrote:
> [Sorry for the top posting. Outlook is evil.]
> 
> Detached signatures are created with gpg, not git.

Git delegates all the signing business to gpg.

> 
> What I would like to see in git would be signed commits. I have looked

Every single commit? That sounds very heavy. You might want to look at
signed pushes (signed push certificates), which were discussed in the
list some time the kernel.org intrusion.

Due to the way git calculates the hash for each object, signing a tag
means that you also sign every single commit up to that point (with all
their tree and blob objects).

>  at what it would take to make it work, but I don't have all the
> details worked out. (Certain merges and cherry-picks would not work
> very well.)

This is precisely because of the cryptographic hash that is used to make
sure that history doesn't get changed.

   cmn

> 
> -----Original Message-----
> From: git-owner@xxxxxxxxxxxxxxx [mailto:git-owner@xxxxxxxxxxxxxxx] On Behalf Of Michael Witten
> Sent: Tuesday, September 27, 2011 5:08 PM
> To: Junio C Hamano
> Cc: Joseph Parmelee; git@xxxxxxxxxxxxxxx
> Subject: Re: Lack of detached signatures
> 
> On Wed, Sep 28, 2011 at 00:03, Junio C Hamano <gitster@xxxxxxxxx> wrote:
> > Joseph Parmelee <jparmele@xxxxxxxxxxxx> writes:
> >
> >> Under the present circumstances, and particularly considering the
> >> sensitivity of the git code itself, I would suggest that you implement
> >> signed detached digital signatures on all release tarballs.
> >
> > Well, signed tags are essentially detached signatures. People can verify
> > tarballs against them if they wanted to, although it is a bit cumbersome.
> 
> Aren't tarballs used to get git on machines that don't yet have git?
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> NrybXǧv^)޺{.n+اܨ}Ơz&j:+vzZ++zfh~izw?&)ߢf

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]