Bastian Blank wrote:
The git object
checksums don't suffice anymore due to SHA1. And as the world moves
towards SHA3, it will need to have the ability to follow.
Ian Jackson wrote:> The git signed tag object has a signature which is
verifiable without
relying on the git object hash system. The tag text directly contains
the source package name, and version, and intended upload target.
A git tag is internally similar to an SHA1-only .dsc or .changes, in
that it uses a hash to specify what the actual repository contents
should be: verifying the tag signature without using the hash only tells
you that an authorized person tried to upload *something*, not whether
it was the same content as is currently in Salsa.
Do you now intend to add an SHA-256 hash, or is one of us mistaken?
$ git cat-file tag debian/1.3.2-6
object 6a899bec4829cd941b65f9ddc2d4f6ef5468b972
type commit
tag debian/1.3.2-6
tagger Rebecca N. Palmer <rebecca_pal...@zoho.com> 1549574096 +0000
beignet Debian release 1.3.2-6
[signature deleted]
Bastian Blank wrote:
The output of all operations obviously needs to be reproducible to be signed.
Other parties could re-run the tag2upload transformation to verify it,
but this would require reading from Salsa as well as the archive.
I agree that any re-signing form of tag2upload is highly
security-critical code, and should be held to our standards for such.
(I don't know what those standards are.)