[Whonix-devel] How safe are signed git tags? Only as safe as SHA-1 or somehow safer?

Mon Nov 24 19:40:30 CET 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here's information from the README of the first Git commit:
https://github.com/git/git/commit/e83c51633#95 (of Git itself).  It
restates what has already been discussed, but it's a direct reference.

On Mon, Nov 03, 2014 at 22:35:11 -0500, Mike Gerwitz wrote:
> On Mon, Nov 03, 2014 at 09:08:53 +0000, Patrick Schleizer wrote:
>> Linus Torvalds said: [1]
>>
>>> Git uses SHA-1 not for security
>>
>> And goes on.
>>
>>> The security parts are elsewhere
>>
>> Could you please elaborate on this? Where are the security parts? Can
>> you please briefly explain how these work? Where can I read more about this?
>
> This would be a better question for the git mailing list.
>
> Afaik, the only "security" that existed at the time he wrote that would
> have been GPG-signed tags (and today, the only additional would be
> GPG-signed commits).  But I could be mistaken.
>
>> Wikipedia says. [2]
>>
>>> Nonetheless, without second preimage resistance [3] of SHA-1 signed
>> commits and tags would no longer secure the state of the repository as
>> they only sign the root of a Merkle tree [4].
>
> Correct.
>
>> Which contradicts what Linus Torvalds said. What does that mean for
>> security? Which statement is true?
>
> My assumption is that he relies (or relied) upon the integrity of
> SHA-1.  As I mentioned in the Horror Story, he mentioned that he need
> only remember the SHA-1 of the tip of his branch to rest assured that
> the copy of a repository is identical to his own.[0]  But it'd be worth
> asking him or someone on the mailing list.
>
>> If (!) I understand Mike Gerwitz ([...] GNU [...]) 's opinion, his
>> opinion is, that for best security each and every commit should be
>> signed for best possible git verification security.
>> [...]
>> - Verbose reply by Mike Gerwitz to my question. [8]
>
> Sure, but I don't sign every commit personally in practice.  I won't
> repeat what I said in [8] here, though.
>
> [0] http://mikegerwitz.com/papers/git-horror-story
>> [8] https://www.whonix.org/forum/index.php/topic,538.msg4278.html#msg4278

- -- 
Mike Gerwitz
Free Software Hacker | GNU Maintainer
http://mikegerwitz.com
FSF Member #5804 | GPG Key ID: 0x8EE30EAB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJUc3ufAAoJEPIruBWO4w6rIBUP/iefdEWMQHsORo6BYwNcY+xJ
x2/NMUeAxz9KGSN7Sf9haMiF6WFp4umYMZ8rRAXWmGv0O6PFkK6Vhw37kPeJtR34
WriZdE66CoeWWZyXDiaRXqS1dLkFlQ15SAI9STZGnMEHoSUX3xhKNlZFTGhRn2aH
temHo3GSbzAPDpYUqOhfl8pXFnO6vtpIG24Jwtd0UG3erLrc+H0FYeW39EkZKsm6
OcDbxlIxHiXY6ZcFtxo1xBwgycJDR06nM7/PziMkI4yFSOLYs7BvRSM4bXZO+E17
/wEJRauwg+7XKSuqCa6mWWeWBluCdh1AUFHBWG9Ip2/OT008KfZfJ6FLRBLJ34/N
qFst+Rk4mfDLYwqfaDDyWOmFyNNkQXhQ3RsSx8lXWt8Ilk7+KnacT5gWV7rH+r8s
1RLESmkb9ng8ypoG3UlUS7j4e5HBb6dwFKVHafJUapM6/zlClxTFWCaeJCCXtCNA
CJOFpv6OAtuBe6o0nX0Tb6bZ2CVjB/QPSAlItMJfSEAQAPR4X0oZe6U9iFt19aHM
14dKqbjSDxodXUYqaGUywgTFb8cQuY50Zgxv0wRX1dLG6Xyfb6y19IfiICpTTjg3
G+yC++hPwXovBPOrNIqLIPQaB86r67TP/ACcB+rBQURs29Cn38y2x20XbC2tertd
EgQ0eSaNA38/QqcuFaAr
=qt3p
-----END PGP SIGNATURE-----