Re: [PATCH 1/1] verify-tag/verify-commit should exit unsuccessfully when signature is not trusted

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jul 31, 2018 at 08:25:47PM -0400, Santiago Torres wrote:
> On Wed, Aug 01, 2018 at 12:19:42AM +0000, brian m. carlson wrote:
> > On Tue, Jul 31, 2018 at 10:05:22PM +0200, Vojtech Myslivec wrote:
> > > Hello,
> > > 
> > > me and my colleague are struggling with automation of verifying git
> > > repositories and we have encountered that git verify-commit and
> > > verify-tag accepts untrusted signatures and exit successfully.
> > 
> > I don't have strong feelings on your change one way or the other, but
> > for automation it may be useful to use the --raw flag, which gives you
> > the raw gpg output and much greater control.  For example, you can
> > require that a subkey is or is not used or require certain algorithms.
> > 
> > I will say that most signatures are untrusted in my experience, so
> > unless people are using TOFU mode or making local signatures, git will
> > exit nonzero for most signatures.  I think the current status is to exit
> > on a good signature, even if it isn't necessarily a valid signature.
> > 
> > I'm interested to hear others' thoughts on this.
> 
> I'd find it odd that we deviate from the gpg behavior, that returns 0
> when verifyng an untrusted signatures. Tooling around gpg is generally
> difficult for this reason, but using the raw output should be enough to
> discard signatures with untrusted keys.
> 
> Another alternative is to use a keyring with trusted keys *only* and
> disable fetching keys from hkp servers. This way signature verification
> should fail.
> 
> Thanks,
> -Santiago.

This is not a deviation. GPG correctly recognizes difference between trusted,
untrusted and unknown levels. git on the other hand does not. Well it did until
the commit a4cc18f29. That one removed GPG exit code propagation.

I think that core of the problem is that git considers both 'TRUST_NEVER' and
'TRUST_UNDEFINED' as being the same. In git they both should result in error or at
lest 'TRUST_NEVER' should (the same way as it does with just GPG).

There is an illustration of difference of untrusted and unknown key verification
at the end of this mail. You can test it just by using your own GPG key (just use
our fingerprint instead).

My and my colleague's expectations are that 'git verify-commit branch' would
handle the commit on the tip of `branch` the  same way as 'git merge
--verify-signature branch'.

It is also confusing that untrusted key is ok but expired or missing one results
in error. GPG's primary usage is for building web of trust. And I think that
untrusted keys are more problematic in that sense than expired ones.


I also disagree with idea that using --raw should be only way how to check if we
trust a key. It is handy in scripts for sure if some additional info about
signature is required but I think that it should not be primary way to check for
signature validity. Exit code should serve that purpose the same way as in case of
GPG itself.

Small example would be that to replace current GPG behavior in portable way
(shells such as dash or ash) it is required to do at least this:

set -e
RES="$(git verify-tag --raw v1.1 2>&1)"
! echo "$RES" | grep -q "^\[GNUPG:\] TRUST_NEVER"

And that will for sure get more complicated when I use other trust levels and/or
trust database and different trust model but direct.

Overall I thing that deviation from returning GPG exit code was not the best and I
don't understand why it was done. Decision if signature validity is reported as
error should be on GPG not on git specially when there is almost no configuration
possibility for GPG in git.

Note that our proposed change is conservative and drawn as a unification of
behavior of pull/merge and verify-*. To make it really optimal for automation it
would be best to return exit code of GPG command.

With regards
Karel Kočí


Illustration of difference between unknown and untrusted key:

$ gpg --sign file
$ mkdir -m 700 gpgt
$ export GNUPGHOME=$PWD/gpgt
$ echo 'trust-model:0:"direct' | gpgconfg --change-options gpg
$ gpg --recv-keys 2B1F70F95F1B48DA2265A7FAA6BC8B8CEB31659B
$ gpg --list-key
/home/cynerd/gpgt/pubring.kbx
-----------------------------
pub   rsa2048 2016-07-07 [SC]
      2B1F70F95F1B48DA2265A7FAA6BC8B8CEB31659B
uid           [ unknown] Karel Kočí (nic.cz) <karel.koci@xxxxxx>
uid           [ unknown] Karel Kočí (cynerd.cz) <cynerd@xxxxxxxx>
uid           [ unknown] Karel Kočí (sh.cvut.cz) <k.koci@xxxxxxxxxx>
uid           [ unknown] Karel Kočí (fel.cvut.cz) <kocikare@xxxxxxxxxxx>
sub   rsa2048 2016-07-07 [E]
sub   rsa4096 2016-09-27 [S]
$ gpg --verify file.gpg
gpg: Signature made Fri 03 Aug 2018 02:01:49 PM CEST
gpg:                using RSA key 46D715A0ED0E0C433CBF5963D83BD732AC2BD828
gpg:                issuer "karel.koci@xxxxxx"
gpg: Good signature from "Karel Kočí (nic.cz) <karel.koci@xxxxxx>" [marginal]
gpg:                 aka "Karel Kočí (cynerd.cz) <cynerd@xxxxxxxx>" [marginal]
gpg:                 aka "Karel Kočí (sh.cvut.cz) <k.koci@xxxxxxxxxx>" [marginal]
gpg:                 aka "Karel Kočí (fel.cvut.cz) <kocikare@xxxxxxxxxxx>" [marginal]
gpg: WARNING: This key is not certified with sufficiently trusted signatures!
gpg:          It is not certain that the signature belongs to the owner.
$ echo $?
0
$ echo "2B1F70F95F1B48DA2265A7FAA6BC8B8CEB31659B:4:" | gpg --import-ownertrust
$ gpg --list-key
/home/cynerd/gpgt/pubring.kbx
-----------------------------
pub   rsa2048 2016-07-07 [SC]
      2B1F70F95F1B48DA2265A7FAA6BC8B8CEB31659B
uid           [  never ] Karel Kočí (nic.cz) <karel.koci@xxxxxx>
uid           [  never ] Karel Kočí (cynerd.cz) <cynerd@xxxxxxxx>
uid           [  never ] Karel Kočí (sh.cvut.cz) <k.koci@xxxxxxxxxx>
uid           [  never ] Karel Kočí (fel.cvut.cz) <kocikare@xxxxxxxxxxx>
sub   rsa2048 2016-07-07 [E]
sub   rsa4096 2016-09-27 [S]
$ gpg --verify file.gpg
gpg: WARNING: unsafe permissions on homedir '/home/cynerd/gpgt'
gpg: Signature made Fri 03 Aug 2018 02:01:49 PM CEST
gpg:                using RSA key 46D715A0ED0E0C433CBF5963D83BD732AC2BD828
gpg:                issuer "karel.koci@xxxxxx"
gpg: Good signature from "Karel Kočí (nic.cz) <karel.koci@xxxxxx>" [never]
gpg:                 aka "Karel Kočí (cynerd.cz) <cynerd@xxxxxxxx>" [never]
gpg:                 aka "Karel Kočí (sh.cvut.cz) <k.koci@xxxxxxxxxx>" [never]
gpg:                 aka "Karel Kočí (fel.cvut.cz) <kocikare@xxxxxxxxxxx>" [never]
gpg: WARNING: We do NOT trust this key!
gpg:          The signature is probably a FORGERY.
$ echo $?
1

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux