Hi Christoph, Christoph Anton Mitterer wrote: > How to cryptographically verify the integrity of a whole git repo (i.e. > all it's commits/blobs/etc. in the history? This happens automatically as part of fetch. When you fetch, the objects' content is transfered over the wire but not their names. The name of each object is a hash of its content. Thus, whenever you address an object by its name, you are using its verified identity. > Assume e.g. I have the kernel sources and want to do some bisection. > One has also retrieved Linus' and GregKH's key via some trusted path > and assumes that SHA1 is more or less still safe enough ;-) > > 1) Of course there is git verify-tag and verify-commit which are signed > with the GPPG, but these alone check, AFAIU, only the respective > tag/commit. Tag and commit object content include the object ids for the objects they reference, so (assuming we are using a strong hash) their name is enough to verify all content reachable from them. In other words, it's a Merkle tree. > How to check everything else? Is it enough to git fsck --full? fsck is helpful for checking that objects are valid --- that they don't reference any objects you don't have, that their format is correct, and so on. So it's good to run (or you can use the transfer.fsckObjects setting to run fsck as part of the clone or fetch operation). Thanks and hope that helps, Jonathan
