Hey Jonathan. On Mon, 2020-04-20 at 23:53 -0700, Jonathan Nieder wrote: > This happens automatically as part of fetch. When you fetch, the > objects' content is transfered over the wire but not their > names. The > name of each object is a hash of its content. Thus, whenever you > address an object by its name, you are using its verified identity. Okay maybe I wasn't clear enough :D (mixing up integrity and authenticity). I'd guess that what you describe here is, that effectively the chain of all SHA1 hashes is computed when one does fetch, right? But this alone doesn't guarantee cryptographic authenticity, e.g. as in "that's the kernel sources as released by Linus". > Tag and commit object content include the object ids for the objects > they reference, so (assuming we are using a strong hash) their name > is enough to verify all content reachable from them. > > In other words, it's a Merkle tree. And for (cryptographically) checking the authenticity of that tree, wouldn't I need to verify the signatures on it's leaves? Taking again the kernel as an example: If I clone the repo (or fsck it later), than all I know is that there was no corruption, if the all the tips are correct, since they start the chain of hash sums to all other objects. But an attacker could have just forged these tips. So for checking authenticity, I need to verify some signatures on them Now if I check e.g. Linus signature on tag v5.6; I should know that everything earlier (in the tree, not chronologically) to that tag are authentic. But not e.g. any commits on top of v.5.6 (which aren't either signed themselves or protected by another tag "above" them). Neither any commits never reached from v.5.6, e.g. later stable patches like anything from above v.5.5 (which is again below v.5.6) up to v.5.5.13, which is not. So from my understanding, to use only commits that are authentic by the kernel upstream developers, I'd need verify all these tips.. and throw away everything which is not reachable by one of them. Is that somehow possible? Thanks, Chris.
