[Whonix-devel] How safe are signed git tags? Only as safe as SHA-1 or somehow safer?

Jason Pyeron jpyeron at pdinc.us
Sat Nov 22 00:32:46 CET 2014

> -----Original Message-----
> From: Patrick Schleizer
> Sent: Friday, November 21, 2014 18:01
> Dear git developers!
> Jeff King wrote:
> > On Sun, Nov 16, 2014 at 03:31:10PM +0000, Patrick Schleizer wrote:
> > 
> >> How safe are signed git tags? Especially because git uses 
> SHA-1. There
> >> is contradictory information around.
> >>
> >> So if one verifies a git tag (`git tag -v tagname`), then 
> `checksout`s
> >> the tag, and checks that `git status` reports no untracked/modified
> >> files, without further manually auditing the code, how 
> secure is this
> >> actually? Is it only as safe as SHA-1?
> > 
> > Yes, it is only as "safe as SHA-1" in the sense that you 
> have GPG-signed
> > only a SHA-1 hash. If somebody can find a collision with a 
> hash you have
> > signed, they can substitute the colliding data for the data 
> you signed.

The whole issue is a lot better than this makes it sound. Yes it is just a SHA1 hash, but it is a hash of a structured data format.

You have very observable parts of that well structured data providede to the hash.

The commit message, the directory contents, and lastly the files themselves.

For a collision to occur, the commit message would have to likely have garbage in the message of a large nature. To generate a colision by commited file contents is unlikely because the file contents is reduced to a hash in the directory structure, which is in turn reduced to a hash in a commit structure.

This would be noticed.

-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
This message is copyright PD Inc, subject to license 20080407P00. 

More information about the Whonix-devel mailing list