[Whonix-devel] How safe are signed git tags? Only as safe as SHA-1 or somehow safer?
jpyeron at pdinc.us
Sat Nov 22 00:32:46 CET 2014
> -----Original Message-----
> From: Patrick Schleizer
> Sent: Friday, November 21, 2014 18:01
> Dear git developers!
> Jeff King wrote:
> > On Sun, Nov 16, 2014 at 03:31:10PM +0000, Patrick Schleizer wrote:
> >> How safe are signed git tags? Especially because git uses
> SHA-1. There
> >> is contradictory information around.
> >> So if one verifies a git tag (`git tag -v tagname`), then
> >> the tag, and checks that `git status` reports no untracked/modified
> >> files, without further manually auditing the code, how
> secure is this
> >> actually? Is it only as safe as SHA-1?
> > Yes, it is only as "safe as SHA-1" in the sense that you
> have GPG-signed
> > only a SHA-1 hash. If somebody can find a collision with a
> hash you have
> > signed, they can substitute the colliding data for the data
> you signed.
The whole issue is a lot better than this makes it sound. Yes it is just a SHA1 hash, but it is a hash of a structured data format.
You have very observable parts of that well structured data providede to the hash.
The commit message, the directory contents, and lastly the files themselves.
For a collision to occur, the commit message would have to likely have garbage in the message of a large nature. To generate a colision by commited file contents is unlikely because the file contents is reduced to a hash in the directory structure, which is in turn reduced to a hash in a commit structure.
This would be noticed.
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
This message is copyright PD Inc, subject to license 20080407P00.
More information about the Whonix-devel