On Tue, Sep 16, 2014 at 9:44 AM, Ian Stakenvicius <a...@gentoo.org> wrote: > > If the issue preventing protection is that the gpg signature only > signs the hash, couldn't we just make repoman automatically add to the > bottom of the comment a clearsign on the contents of the commit? >
The gpg signature is on the entire contents of the "commit." However, the contents of the commit do not include the files that are being committed - it includes hashes of the parent commit, the commit message, other headers, and the hash of the tree being committed, which is sha1. That last hash is the only thing that ties the commit to the files being committed, so you can modify the files all you like as long as the sha1 is the same. I don't think we should try to fix git. It makes far more sense to have upstream fix it. I don't think we should hold up the migration over it - NOBODY is holding off on adopting git over this stuff and I'm not even aware of any projects that gpg sign their git commits. Remember, the data model is: commit --> tree --> [tree...] --> blob The signature is against the commit, and sha1 hashes are what tie everything else to it. If you want to satisfy yourself I believe you can get git to dump the contents of any object without formatting/etc. You'll see that the gpg signature matches the content of the commit (minus the gpg signature header, of course). If you directly access objects from the filesystem I think git prepends a hash or something to the start of every file. -- Rich
