On Sat, 10 Feb 2007, Jakub Narebski wrote: > > One of the solutions, used in git.git repository, is to put public key > as a out-of-tree blob using git-hash-object, then tag it using singed tag > with instruction about how to extract key in the tag message (tag comment). No. That's horrible. Yes, it's what Junio did, but if you don't trust the archive, the _last_ thing you should do is to depend on a blob in the archive itself to contain the thing to make you trust it more. So you want to get the gpg public key from somewhere else to be able to _independently_ verify that it's ok. Otherwise, somebody could just totally replace the object with one of their own, and then _claim_ that the public key they made is "junio-gpg-pub", and fool people into thinkign it's signed by Junio. So to get a valid chain of trust, you really have to have some sideband channel to get you started. There's a lot of infrastructure for that elsewhere (ie the whole "sign other peoples keys" thing that is so central to pgp), but even if you don't have a key to start with, you're actually better off getting a key (even with no other validation) from an independent source than have it be in the repository itself. Because at least then any attacker has to fake _two_ things, rather than just a single repo. Of course, in *practice* this is not a problem. And, in fact, thanks to git's SHA1 setup, you obviously don't have to really verify the key itself in git, you really only want to verify that yes, the object name is correct (ie if you get some sideband information from Junio that the "object 0246401b5d117e01717149c413aa2f8702a83d4f" really is Junio's key, that's sufficient in itself). (The "sideband channel" can be something as simple as google. For example, if you just google for the SHA1 of the tag itself, you'll actually get a lot of hits for it - a0e7d36193b96f552073558acf5fcc1f10528917 (which is not the key itself, but it is the tag that points to it, which in turn is signed with the key) shows up in manyplaces, and that very fact in itself is "interesting" as a sideband information. It's not "proof", but it's certainly one piece of information that may make you more comfortable with that tag not being something recent and fake - it's been around and been quoted by me in email archives, so if it's faked, it's fooled a number of people). Linus - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html