On Tue, Jan 26, 2016 at 10:29:42AM -0500, Santiago Torres wrote: > > If you cannot trust those with write access to a repo that you are > > pulling and installing from you might want to re-check where you are > > pulling or installing from ;) > > Yeah, I see your point, but mechanisms to ensure the server's origin can > be bypassed (e.g., a MITM). I don't think it would hurt to ensure the > source pointed to is the source itself. The tag signature can help us do > this. Right. I think the more interesting use case here is "I trust the upstream repository owner, but I do not trust their hosting site of choice." > > Your best bet is checking the signature of signed tags. Now, if you're > > worried about someone maliciously pointing you to the wrong, correctly > > signed tag then you should verify that the tag object contains the tag > > "name" that you expect (for example by using "git verify-tag -v" or "git > > cat-file -p"), since that is part of the signed content. > > Yep, this is my intuition behind my proposal. While someone can manually > inspect a tag (git tag -v [ref]) to ensure he's getting the correct one, > there's no mechanism to ensure that the ref is pointing to the intended > tag. I do believe that package managers and git submodules could check > whether the ref is pointing to the right tag with a small change in the > tag header. Although it would be up to each tool to implement this > check. > > I don't think that an addition like this would get in the way of any > existing git workflow, and should be backwards-compatible right? Doesn't this already exist? $ git cat-file tag v2.0.0 object e156455ea49124c140a67623f22a393db62d5d98 type commit tag v2.0.0 tagger Junio C Hamano <gitster@xxxxxxxxx> 1401300269 -0700 Git 2.0 -----BEGIN PGP SIGNATURE----- [...] -----END PGP SIGNATURE----- Tag objects already have a "tag" header, which is part of the signed content. If you use "git verify-tag -v", you can check both that the signature is valid and that the tag is the one you are expecting. Of course, "verify-tag" could do this for you if you give it a refname, too, but I think that may be the tip of the iceberg in terms of automatic verification. In particular, verify-tag knows it was signed by _somebody_, but it doesn't know what the signing policy is. As a human, _I_ know that Junio is the right person to be signing the release tag, but no tool does. Git pretty much punts on all of these issues and assumes either a human or a smarter tool is looking at the verification output. But I don't think it would hurt to build in some features to let git automatically check some things, if only to avoid callers duplicating work to implement the checks themselves. -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html