Re: [gentoo-dev] Re: rsync mirror security

Mon, 10 Aug 2015 20:57:07 -0700 

On 11 August 2015 at 15:44, Matthias Maier <tam...@gentoo.org> wrote:
>
> No, a signed tag verifies that the whole integrirty of the entire
> repository, whereas a signed commit only authenticates the differences
> introduced by a single commit.


git tag -s test

cat ./.git/refs/tags/test
456d216e3d1894d62429daf0ec482c3afb087dbe

git cat-file tag 456d216e3d1894d62429daf0ec482c3afb087dbe
object 9ca77ee7f72902e4e89456ff560a670465969603
type commit
tag test
tagger Kent Fredric <kentfred...@gmail.com> 1439264837 +1200

A test tag
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAABCAAGBQJVyXBKAAoJEOhUMksTZqgg2/kP/iCXS12W57RB2wPQHgebgSpK
86zXXvXC5rqndTmGwOmYA9FcO/n2u+SMwk0ZGol9LWuvkKaW/6Wi/vzvG24lggWy
GxKRQTNHPXVHxwPQZOhj6fwS9EkC3rCSMWv82qLrbXvBqsH/dLXymq2nl+YDEGi1
lLkDWkX7EYWA6sgdnDhNzjPaHVC9P5qP1JDZOrKY0Qzm9JBDMl0xO9/faITrBMDi
BmVVHNELKQ9uN8BYxmQfHqUFKO2SWXFbqJftQ6LqpXmFHWDpasmY3gTMczPpQ47I
le+LPo0tT3Yk0fhBc8uk0/69kaHMa5hMmBPHuHh5ANWLPpxSyiDzCqqS9i8wPB+M
MONhAoVyLYaFUf62fBxa6kxKDdQuC5JRYjeiFs60k1uG/QI4OhjoIbbaaxJxQ0sy
45iZ3PBlVxbgxkpPRJtftr9PJBMDabekZbI5F6jX7S+x6G40O4ss1W1QnXsdFvqd
vJvVdIdnrGqu/6JXZpz2J65N3HfMqfj9PHNDJaxM6da6+z6HQ3JwvNSVum8dAaJn
jKoisQ7bEuXl2WOj5SCfAqjtOUp2pbYJCCb5QVHWuHCk53cvcY6FmGQPEzj42uVQ
bKSYGaJ3637t+NPysinifQv1HTfViP7lh/O3znsGj7qcm6DXGnHvkp84LFch6yiY
/oFbaDvWZ8zKyMSAJ9Ou
=Ieic
-----END PGP SIGNATURE-----



git cat-file tag 456d216e3d1894d62429daf0ec482c3afb087dbe > /tmp/sigfile
cp /tmp/sigfile /tmp/sigfile.asc

*edits both so sigfile has content, and asc file has signature*


gpg --verify /tmp/sigfile.asc
gpg: enabled debug flags: memstat
gpg: assuming signed data in '/tmp/sigfile'
gpg: Signature made Tue Aug 11 15:47:22 2015 NZST
gpg:                using RSA key E854324B1366A820
gpg: Good signature from "Kent Fredric (GMail)
<kentfred...@gmail.com>" [unknown]
gpg:                 aka "Kent Fredric (CPAN Author)
<ken...@cpan.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3D96 B36C 8FEA AC54 F5A3  DAE7 E854 324B 1366 A820
gpg: keydb: kid_not_found_table: total: 1
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: secmem usage: 0/65536 bytes in 0 blocks


^^ - so its clear the signature is only on the tag data itself.

And what does the tag refer to?

object 9ca77ee7f72902e4e89456ff560a670465969603

What is that?


git cat-file -t 9ca77ee7f72902e4e89456ff560a670465969603
commit


So how is GPG verifying "The whole repository" ?

-- 
Kent

KENTNL - https://metacpan.org/author/KENTNL

Reply via email to