[Whonix-devel] How safe are signed git tags? Only as safe as SHA-1 or somehow safer?
Mike Gerwitz
mikegerwitz at gnu.org
Tue Nov 4 04:35:11 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, Nov 03, 2014 at 09:08:53 +0000, Patrick Schleizer wrote:
> Linus Torvalds said: [1]
>
>> Git uses SHA-1 not for security
>
> And goes on.
>
>> The security parts are elsewhere
>
> Could you please elaborate on this? Where are the security parts? Can
> you please briefly explain how these work? Where can I read more about this?
This would be a better question for the git mailing list.
Afaik, the only "security" that existed at the time he wrote that would
have been GPG-signed tags (and today, the only additional would be
GPG-signed commits). But I could be mistaken.
> Wikipedia says. [2]
>
>> Nonetheless, without second preimage resistance [3] of SHA-1 signed
> commits and tags would no longer secure the state of the repository as
> they only sign the root of a Merkle tree [4].
Correct.
> Which contradicts what Linus Torvalds said. What does that mean for
> security? Which statement is true?
My assumption is that he relies (or relied) upon the integrity of
SHA-1. As I mentioned in the Horror Story, he mentioned that he need
only remember the SHA-1 of the tip of his branch to rest assured that
the copy of a repository is identical to his own.[0] But it'd be worth
asking him or someone on the mailing list.
> If (!) I understand Mike Gerwitz ([...] GNU [...]) 's opinion, his
> opinion is, that for best security each and every commit should be
> signed for best possible git verification security.
> [...]
> - Verbose reply by Mike Gerwitz to my question. [8]
Sure, but I don't sign every commit personally in practice. I won't
repeat what I said in [8] here, though.
[0] http://mikegerwitz.com/papers/git-horror-story
> [8] https://www.whonix.org/forum/index.php/topic,538.msg4278.html#msg4278
- --
Mike Gerwitz
Free Software Hacker | GNU Maintainer
http://mikegerwitz.com
FSF Member #5804 | GPG Key ID: 0x8EE30EAB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJUWElwAAoJEPIruBWO4w6rWRUP+wf+682zVuurUuBujnLcupwF
WH/pkwX19+B6mXf2ZFEavrid/m0SszpGcZsjgi8CSsmS44W3OawcF3WMaXf8It6A
oSsSOvk7lfC9cezLtVqkmR2g5dWoFAVkbK8JHIeizqLgkQQ7Q93yg4EfL9hqx79b
AeO57SUWHyVN8CEqS37e1SXzenkLm/FujMNbn9NajzjgCdD7xsp6iZwos8684abf
hqo4HWHyKbHUQbnIe9cqP+3yIDm/pWpP57UvFng7rzleHcIMrqKAn5OYg1fVjQ3i
GAbsfoeNmDfjgtCYdrdTiEv2wAMu399hHTTaBr3sMpo1P9Yq4NP2K2DapYJJZWiF
d3gagUvzCKBQVmu5FH9nV84UrF7j77E0rThB1Ae8s+hov3KfBSWn7qkZeEGIXXyq
vFXKOdT09moTGlx87Sp/L65CB+42B7NbSzz3Z05hhUQFxRni7ZOESr8ax3td9DrG
vPrCLD4QHorhrD9ZISafaZWFiGSs7opYSa5VwO5QkijxpvCy+9bJu2ArrBF1H3xb
8c8uQI2buhO84Md0bAeKY6qUaaChRcRNGBoNwpteieWmtE202uUBwpvA99oBLM0N
cifU1GVZ3r5px64Wq8mr/EbSrCnc2tmYEuUzByg/wwPqTpgND7M9LAndmjW4cG3+
N/rgLa389561dRmiPOQK
=7/lr
-----END PGP SIGNATURE-----
More information about the Whonix-devel
mailing list