Re: Commit SHA1 == SHA1 checksum?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05/02/2022 01:19, Gamblin, Todd wrote:
> Apologies if this has been asked before, but the closest thing I could find was this thread:
>
> 	http://public-inbox.org/git/Pine.LNX.4.62.0504160519330.21837@xxxxxxxxxxxxxxxxxxx/
>
> That thread devolved into a discussion of the security of different hashes and didn’t answer my question.
>
> I want to know when and where git *guarantees* that the snapshot I have checked out has the checksum that git says it does, or if it does at all.
>
> The use case for this is for package managers. I work on Spack (http://github.com/spack/spack if you’re curious) and we download sources from tarballs and git repos (like many similar tools).  For tarballs we require a sha256, and we use it to verify the tarball after download.
>
> For git repos, we would like to require a commit sha1, provided that it’s basically as secure as downloading a tarball and checking it against a known sha1.  So, if I `git clone` something, is the commit sha1 actually verified?
For the Git releases, the maintainer, Junio, will PGP sign the release
tag with his key e.g.
https://git.kernel.org/pub/scm/git/git.git/tag/?h=v2.35.1

The tag contains the sha1 hash of the release commit, which in turn
contains the sha1 hashes of the tree that is being released, and the 
previous commit in the git history, and onward the hashes roll...

https://lore.kernel.org/git/xmqqh7n5zv2b.fsf@xxxxxxxxxxxxxxxxxxxxxx/ is
a recent discussion on the refreshing of the PGP key. the post
https://lore.kernel.org

/git/YA3nwFcYz4tbhrlO@xxxxxxxxxxxxxxxxxxxxxxxxx/ in the thread notes
"The signature is .. over the uncompressed .tar ... You therefore need
to uncompress it first with gunzip."
>
> Thanks,
> -Todd
>
>
> PS: I know that sha1 has been declared “risky” by NIST and that folks should move away from it, and please be assured that we’re using sha256’s everywhere else.  Here I really just want to know whether cloning a git repo at a particular commit is as secure as downloading a tarball and checking it against a sha1, not whether or not sha1 is secure.
>
>
I don't think there is an obvious cross-check for the tarball sha1
comparison with the release tag's sha1, if that's the question.

The repeatability of tarballs has been discussed but I didn't find a
mail reference immediately.

Philip



[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux