From mboxrd@z Thu Jan 1 00:00:00 1970 From: tmz at pobox.com (Todd Zullinger) Date: Sat, 7 Mar 2015 18:35:10 -0500 Subject: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading In-Reply-To: <20150307182002.GJ1369@serenity.lan> References: <0146555fda82120aa6ff6a7e9761d00d53ced865.1425739601.git.john@keeping.me.uk> <20150307155926.6430.47439@typhoon> <20150307170259.GI1369@serenity.lan> <20150307174932.8657.41364@typhoon> <20150307182002.GJ1369@serenity.lan> Message-ID: <20150307233510.GU3567@zaya.teonanacatl.net> John Keeping wrote: > I still think we can't rely on `gpg --recv-keys` though, we would > have to distribute the key with CGit and possible also do something > to avoid importing it into the user's keyring by default. If the check was to be run from a cgit clone, the key Junio uses to sign git tarballs could be included as a blob, similarly to how it's done in git.git. (See the junio-gpg-pub tag in git.git for anyone unfamiliar with this already. The key can be extracted via: git cat-file blob junio-gpg-pub I've always thought that was a neat use of git, but certainly not a common one. I can't manage to make github display this tagged blob, which is also amusing. The cgit-hosted kernel.org repo displays it easily though: http://git.kernel.org/cgit/git/git.git/tag/?id=junio-gpg-pub) This method does nothing for users who have downloaded a cgit tarball, of course, which I expect is more likely to be the use case you're targeting. > I think a hash is more appropriate for the situation we're in - we > are assuming that the user is happy that the CGit distribution they > have is trustworthy but we must verify that the Git distribution we > download is also correct. I don't think this is unreasonable at all. Trust has to start somewhere. For users that want to go to the source, they can always download git directly (or just the detached PGP signature) and verify the tarball. When I updated cgit packages in Fedora and EPEL, this is what I always did. I don't know if the current maintainers follow that process still, but hopefully they do. ;) But while we're on the subject, are there PGP signatures available for the cgit tarballs themselves? I know the git tags are signed, but I don't think I've seen detached signatures for the tarballs. In this case, how does a user become "happy that the CGit distribution they have is trustworthy"? The cgit tarball download isn't available via https either, which might be a reasonable answer in the absence of a detached git signature. Without a signature on the tarball or some other method to verify the cgit tarball, the sha256 of the git tarball included in the cgit Makefile is more or less only useful as a basic download integrity check (in which case sha256 is mild overkill). None of this is to say that this patch isn't a step in the right direction. It certainly helps to display a nicer error message if a user receives a corrupted git tarball. It's just important that users don't confuse this with providing any real authentication of the git tarball. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Life is the art of drawing without an eraser. -- John Gardner