On 05/02/2022 01:19, Gamblin, Todd wrote: > Apologies if this has been asked before, but the closest thing I could find was this thread: > > http://public-inbox.org/git/Pine.LNX.4.62.0504160519330.21837@xxxxxxxxxxxxxxxxxxx/ > > That thread devolved into a discussion of the security of different hashes and didn’t answer my question. > > I want to know when and where git *guarantees* that the snapshot I have checked out has the checksum that git says it does, or if it does at all. > > The use case for this is for package managers. I work on Spack (http://github.com/spack/spack if you’re curious) and we download sources from tarballs and git repos (like many similar tools). For tarballs we require a sha256, and we use it to verify the tarball after download. > > For git repos, we would like to require a commit sha1, provided that it’s basically as secure as downloading a tarball and checking it against a known sha1. So, if I `git clone` something, is the commit sha1 actually verified? For the Git releases, the maintainer, Junio, will PGP sign the release tag with his key e.g. https://git.kernel.org/pub/scm/git/git.git/tag/?h=v2.35.1 The tag contains the sha1 hash of the release commit, which in turn contains the sha1 hashes of the tree that is being released, and the previous commit in the git history, and onward the hashes roll... https://lore.kernel.org/git/xmqqh7n5zv2b.fsf@xxxxxxxxxxxxxxxxxxxxxx/ is a recent discussion on the refreshing of the PGP key. the post https://lore.kernel.org /git/YA3nwFcYz4tbhrlO@xxxxxxxxxxxxxxxxxxxxxxxxx/ in the thread notes "The signature is .. over the uncompressed .tar ... You therefore need to uncompress it first with gunzip." > > Thanks, > -Todd > > > PS: I know that sha1 has been declared “risky” by NIST and that folks should move away from it, and please be assured that we’re using sha256’s everywhere else. Here I really just want to know whether cloning a git repo at a particular commit is as secure as downloading a tarball and checking it against a sha1, not whether or not sha1 is secure. > > I don't think there is an obvious cross-check for the tarball sha1 comparison with the release tag's sha1, if that's the question. The repeatability of tarballs has been discussed but I didn't find a mail reference immediately. Philip