[SSL Observatory] Observatory source code available via git
Matt McCutchen
matt at mattmccutchen.net
Fri May 13 13:07:05 PDT 2011
On Fri, 2011-05-13 at 11:34 -0700, Robert Ransom wrote:
> On Fri, 13 May 2011 13:25:49 -0400
> Matt McCutchen <matt at mattmccutchen.net> wrote:
> > And even if you did, signing does not guarantee that the ref is fresh or
> > the one the user wants, rather than some commit from some project that
> > you signed sometime in the past. As such, it is suitable for preventing
> > the injection of malware but does not constitute integrity protection of
> > a fetch operation.
>
> The signed message contains all of the metadata in the tag object,
> including the hash of the tagged commit and the tag name,
I wasn't aware the name was included. Still, (1) an attacker could
substitute a tag from another project unless you have a naming scheme
that is unique per key, and (2) git doesn't check either the name or the
key: you have to do it yourself. Hardly a ready-to-use solution.
> and the GPG
> signature contains a timestamp.
What I meant was, signing does not prevent an attacker from replaying an
old signed ref value or hiding the existence of a ref. The former is
less of an issue for tags that do not change once they are created, but
obviously a solution needs to handle branches too.
--
Matt
More information about the Observatory
mailing list