[SSL Observatory] Observatory source code available via git

Matt McCutchen matt at mattmccutchen.net
Fri May 13 13:07:05 PDT 2011


On Fri, 2011-05-13 at 11:34 -0700, Robert Ransom wrote:
> On Fri, 13 May 2011 13:25:49 -0400
> Matt McCutchen <matt at mattmccutchen.net> wrote:
> > And even if you did, signing does not guarantee that the ref is fresh or
> > the one the user wants, rather than some commit from some project that
> > you signed sometime in the past.  As such, it is suitable for preventing
> > the injection of malware but does not constitute integrity protection of
> > a fetch operation.
> 
> The signed message contains all of the metadata in the tag object,
> including the hash of the tagged commit and the tag name,

I wasn't aware the name was included.  Still, (1) an attacker could
substitute a tag from another project unless you have a naming scheme
that is unique per key, and (2) git doesn't check either the name or the
key: you have to do it yourself.  Hardly a ready-to-use solution.

> and the GPG
> signature contains a timestamp.

What I meant was, signing does not prevent an attacker from replaying an
old signed ref value or hiding the existence of a ref.  The former is
less of an issue for tags that do not change once they are created, but
obviously a solution needs to handle branches too.

-- 
Matt




More information about the Observatory mailing list