On Mon, Feb 07, 2022 at 02:49:16PM -0800, Junio C Hamano wrote:
> Given a signed commit or a signed tag that points at a commit, your
> enhanced "git archive" would create a .tar file with the contents of
> the tree object, and adds copies signed objects that tells what tree
> object the archive ought to have. E.g. if you start from a signed
> tag, "git cat-file tag $tag" output would allow you to learn the
> object name of the tagged object, and to verify the PGP signature
> embedded in the tag, but it is likely that the tagged object is a
> commit, not a tree, so you'd also need to include "git cat-file
> commit $tag^{commit}".
Correct, unless it's a snapshot of a signed commit, not of a tag (cgit, for
example, makes them available for download). In this case we only need to have
the cat-file contents of the commit.
> So you'd store the raw contents of the tag
> (so that we have a hash-protected record of commit object name), and
> the commit (so that we have a hash-protected record of tree object
> name).
>
> You as the recipient will find these in the tarball:
>
> - the files that are supposed to be the contents of tree X.
>
> - the raw contents of the commit C that is supposed to record the
> tree X.
>
> - the raw contents of the tag T that is supposed to point at the
> commit C.
>
> Starting from the contents of tag T, which is PGP signed, you know
> that the signer wanted to call commit C with the name of the tag T.
> Then the raw contents that alledgedly are from commit C, you can
> "git hash-object -t commit" it to verify that it indeed hashes down
> to C (hence, it what the signer wanted to give you), and find the
> name of the tree object X the commit records. And when you added
> all the blobs contained in the tarball (and nothing else) to the
> index and ran write-tree on the resulting index, you would know what
> tree object the tarball contained, and if it hashes down to X, you
> know that the cryptographic hash chain starting from PGP signature
> on T attests that that tarball matches what the signer wanted you
> to have.
Exactly right. It would be slightly more complicated for things like openssh
signatures, since then you have to worry about where the allowed_signers file
comes from, but these are implementation minutae. Even if we start with just
support for PGP signatures, that would already be a great improvement over
where things are with snapshot downloads right now.
Best regards,
-K
