On 2019-08-28 at 20:32:24, Konstantin Ryabitsev wrote: > Hi, all: > > If I know that a project uses tag signing, would "git clone" followed by > "git verify-tag" be meaningful without a "git fsck" in-between? I.e. if an > attacker has control over the remote server, can they sneak in any badness > into any of the resulting files and still have the clone, checkout, and > verify-tag return success unless the repository is fsck'd before verify-tag? > > I assume that it would break during the checkout stage, but I wanted to > verify my assumptions. We pass the entire tag buffer to GnuPG, which means that we verify exactly what is in the tag: no more, no less. Whether that represents a valid, usable tag with meaningful data is not verified, although of course it can't be changed once written. If you trust the signer to produce valid data, then you can verify the tag and know that the data is correct. If not, then you probably need git fsck to verify that the data is usable and meets Git's standards. -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204
Attachment:
signature.asc
Description: PGP signature