On Thu, Aug 29, 2019 at 09:34:57AM -0400, Konstantin Ryabitsev wrote: > As you know, for the Linux kernel we provide both tag signatures and > detached PGP signatures on tarballs (and the same is true for git). The > argument I hear frequently is that providing detached tarball signatures is > redundant[*] when tags are already PGP-signed, so I wanted to double-check > that all checksums are computed and matched on the client in the process of > "git checkout" and we're not just verifying a signature of a non-verified > checksum. > > In other words, I needed to double-check that what we get in the end is > assurance that "all files in this repository are exactly the same as on the > developer's system at the time when they ran 'git tag -s'." Then yes, there is no need to fsck. When the objects were received on the server side (by push) and then again when you got them from the server (by clone), their sha1s were recomputed from scratch, not trusting the sender at all in either case. (Again, assuming you trust sha1; I think you should, especially since we use the collision-detecting sha1 by default, but I wanted to make that part clear). > > Even without the fsck, we will compute the sha1 of each object (we must, > > because the other side doesn't send it at all), and that we have all > > objects reachable from the refs. So verifying the tag at that point > > demonstrates a signature on the tag object, which refers to probably > > some commit via sha1, which refers to actual trees and blobs by a chain > > of sha1s. If you believe in the integrity of sha1, then it has > > effectively signed all of that content. > > So, the client will actually calculate those checksums during the checkout > stage to make sure that all content in the repository matches the hash of > the commit being checked out, correct? It's not during the checkout itself, but rather during the transfer of objects into the receiving repository. I.e., there is no need to even have a checkout. E.g., you could verify the tag and then use "git archive". Do note that both archive and checkout can modify files from their in-repository state using gitattributes (e.g., to do line-ending conversion, or using export-subst to add things like the commit ID into the generated tarball). So it's possible that a tarball (either generated from git-archive or from checked out contents) may not be byte-for-byte identical. Depending on your use case, that can range from an annoyance to ignore (if a developer is using those features, tell them not to do that) to a security issue (if you are somehow certifying the tarball contents based on the tag signature, there is room for a malicious signer to tweak the tarball contents). But I think your question is mostly just "if I clone the repo and verify the tag, is it what the original person signed?". And that answer is yes. -Peff