> -----Original Message----- > From: Patrick Schleizer > Sent: Friday, November 21, 2014 18:01 > > Dear git developers! > > Jeff King wrote: > > On Sun, Nov 16, 2014 at 03:31:10PM +0000, Patrick Schleizer wrote: > > > >> How safe are signed git tags? Especially because git uses > SHA-1. There > >> is contradictory information around. > >> > >> So if one verifies a git tag (`git tag -v tagname`), then > `checksout`s > >> the tag, and checks that `git status` reports no untracked/modified > >> files, without further manually auditing the code, how > secure is this > >> actually? Is it only as safe as SHA-1? > > > > Yes, it is only as "safe as SHA-1" in the sense that you > have GPG-signed > > only a SHA-1 hash. If somebody can find a collision with a > hash you have > > signed, they can substitute the colliding data for the data > you signed. The whole issue is a lot better than this makes it sound. Yes it is just a SHA1 hash, but it is a hash of a structured data format. You have very observable parts of that well structured data providede to the hash. The commit message, the directory contents, and lastly the files themselves. For a collision to occur, the commit message would have to likely have garbage in the message of a large nature. To generate a colision by commited file contents is unlikely because the file contents is reduced to a hash in the directory structure, which is in turn reduced to a hash in a commit structure. This would be noticed. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html