Re: How safe are signed git tags? Only as safe as SHA-1 or somehow safer?
64 views
Skip to first unread message
Mike Gerwitz
Nov 4, 2014, 2:19:55 AM11/4/14
to Patrick Schleizer, qubes...@googlegroups.com, Patrick Schleizer, Whonix-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, Nov 03, 2014 at 09:08:53 +0000, Patrick Schleizer wrote:
> Linus Torvalds said: [1]
>
>> Git uses SHA-1 not for security
>
> And goes on.
>
>> The security parts are elsewhere
>
> Could you please elaborate on this? Where are the security parts? Can
> you please briefly explain how these work? Where can I read more about this?
This would be a better question for the git mailing list.
Afaik, the only "security" that existed at the time he wrote that would
have been GPG-signed tags (and today, the only additional would be
GPG-signed commits). But I could be mistaken.
> Wikipedia says. [2]
>
>> Nonetheless, without second preimage resistance [3] of SHA-1 signed
> commits and tags would no longer secure the state of the repository as
> they only sign the root of a Merkle tree [4].
Correct.
> Which contradicts what Linus Torvalds said. What does that mean for
> security? Which statement is true?
My assumption is that he relies (or relied) upon the integrity of
SHA-1. As I mentioned in the Horror Story, he mentioned that he need
only remember the SHA-1 of the tip of his branch to rest assured that
the copy of a repository is identical to his own.[0] But it'd be worth
asking him or someone on the mailing list.
> If (!) I understand Mike Gerwitz ([...] GNU [...]) 's opinion, his
> opinion is, that for best security each and every commit should be
> signed for best possible git verification security.
> [...]
> - Verbose reply by Mike Gerwitz to my question. [8]
Sure, but I don't sign every commit personally in practice. I won't
repeat what I said in [8] here, though.
[0] http://mikegerwitz.com/papers/git-horror-story
> [8] https://www.whonix.org/forum/index.php/topic,538.msg4278.html#msg4278
- --
Mike Gerwitz
Free Software Hacker | GNU Maintainer
http://mikegerwitz.com
FSF Member #5804 | GPG Key ID: 0x8EE30EAB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJUWElwAAoJEPIruBWO4w6rWRUP+wf+682zVuurUuBujnLcupwF
WH/pkwX19+B6mXf2ZFEavrid/m0SszpGcZsjgi8CSsmS44W3OawcF3WMaXf8It6A
oSsSOvk7lfC9cezLtVqkmR2g5dWoFAVkbK8JHIeizqLgkQQ7Q93yg4EfL9hqx79b
AeO57SUWHyVN8CEqS37e1SXzenkLm/FujMNbn9NajzjgCdD7xsp6iZwos8684abf
hqo4HWHyKbHUQbnIe9cqP+3yIDm/pWpP57UvFng7rzleHcIMrqKAn5OYg1fVjQ3i
GAbsfoeNmDfjgtCYdrdTiEv2wAMu399hHTTaBr3sMpo1P9Yq4NP2K2DapYJJZWiF
d3gagUvzCKBQVmu5FH9nV84UrF7j77E0rThB1Ae8s+hov3KfBSWn7qkZeEGIXXyq
vFXKOdT09moTGlx87Sp/L65CB+42B7NbSzz3Z05hhUQFxRni7ZOESr8ax3td9DrG
vPrCLD4QHorhrD9ZISafaZWFiGSs7opYSa5VwO5QkijxpvCy+9bJu2ArrBF1H3xb
8c8uQI2buhO84Md0bAeKY6qUaaChRcRNGBoNwpteieWmtE202uUBwpvA99oBLM0N
cifU1GVZ3r5px64Wq8mr/EbSrCnc2tmYEuUzByg/wwPqTpgND7M9LAndmjW4cG3+
N/rgLa389561dRmiPOQK
=7/lr
-----END PGP SIGNATURE-----
Hash: SHA1
On Mon, Nov 03, 2014 at 09:08:53 +0000, Patrick Schleizer wrote:
> Linus Torvalds said: [1]
>
>> Git uses SHA-1 not for security
>
> And goes on.
>
>> The security parts are elsewhere
>
> Could you please elaborate on this? Where are the security parts? Can
> you please briefly explain how these work? Where can I read more about this?
This would be a better question for the git mailing list.
Afaik, the only "security" that existed at the time he wrote that would
have been GPG-signed tags (and today, the only additional would be
GPG-signed commits). But I could be mistaken.
> Wikipedia says. [2]
>
>> Nonetheless, without second preimage resistance [3] of SHA-1 signed
> commits and tags would no longer secure the state of the repository as
> they only sign the root of a Merkle tree [4].
Correct.
> Which contradicts what Linus Torvalds said. What does that mean for
> security? Which statement is true?
My assumption is that he relies (or relied) upon the integrity of
SHA-1. As I mentioned in the Horror Story, he mentioned that he need
only remember the SHA-1 of the tip of his branch to rest assured that
the copy of a repository is identical to his own.[0] But it'd be worth
asking him or someone on the mailing list.
> If (!) I understand Mike Gerwitz ([...] GNU [...]) 's opinion, his
> opinion is, that for best security each and every commit should be
> signed for best possible git verification security.
> [...]
> - Verbose reply by Mike Gerwitz to my question. [8]
Sure, but I don't sign every commit personally in practice. I won't
repeat what I said in [8] here, though.
[0] http://mikegerwitz.com/papers/git-horror-story
> [8] https://www.whonix.org/forum/index.php/topic,538.msg4278.html#msg4278
- --
Mike Gerwitz
Free Software Hacker | GNU Maintainer
http://mikegerwitz.com
FSF Member #5804 | GPG Key ID: 0x8EE30EAB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJUWElwAAoJEPIruBWO4w6rWRUP+wf+682zVuurUuBujnLcupwF
WH/pkwX19+B6mXf2ZFEavrid/m0SszpGcZsjgi8CSsmS44W3OawcF3WMaXf8It6A
oSsSOvk7lfC9cezLtVqkmR2g5dWoFAVkbK8JHIeizqLgkQQ7Q93yg4EfL9hqx79b
AeO57SUWHyVN8CEqS37e1SXzenkLm/FujMNbn9NajzjgCdD7xsp6iZwos8684abf
hqo4HWHyKbHUQbnIe9cqP+3yIDm/pWpP57UvFng7rzleHcIMrqKAn5OYg1fVjQ3i
GAbsfoeNmDfjgtCYdrdTiEv2wAMu399hHTTaBr3sMpo1P9Yq4NP2K2DapYJJZWiF
d3gagUvzCKBQVmu5FH9nV84UrF7j77E0rThB1Ae8s+hov3KfBSWn7qkZeEGIXXyq
vFXKOdT09moTGlx87Sp/L65CB+42B7NbSzz3Z05hhUQFxRni7ZOESr8ax3td9DrG
vPrCLD4QHorhrD9ZISafaZWFiGSs7opYSa5VwO5QkijxpvCy+9bJu2ArrBF1H3xb
8c8uQI2buhO84Md0bAeKY6qUaaChRcRNGBoNwpteieWmtE202uUBwpvA99oBLM0N
cifU1GVZ3r5px64Wq8mr/EbSrCnc2tmYEuUzByg/wwPqTpgND7M9LAndmjW4cG3+
N/rgLa389561dRmiPOQK
=7/lr
-----END PGP SIGNATURE-----
Patrick Schleizer
Nov 4, 2014, 4:00:30 AM11/4/14
to qubes...@googlegroups.com, Patrick Schleizer, Whonix-devel, mikeg...@gnu.org
Hi!
How safe are signed git tags? Especially because git uses SHA-1. There
is contradictory information around.
So if one verifies a git tag (`git tag -v tagname`), then `checksout`s
the tag, and checks that `git status` reports no untracked/modified
files, without further manually auditing the code, how secure is this
actually? Is it only as safe as SHA-1?
Let's assume an adversary, that is capable of producing SHA-1 collisions.
Linus Torvalds said: [1]
> Git uses SHA-1 not for security
And goes on.
> The security parts are elsewhere
Could you please elaborate on this? Where are the security parts? Can
you please briefly explain how these work? Where can I read more about this?
but for ensuring that the data has not changed due to accidental
corruption. Linus Torvalds has said, "If you have disk corruption, if
you have DRAM corruption, if you have any kind of problems at all, Git
will notice them. It's not a question of if, it's a guarantee. You can
have people who try to be malicious. They won't succeed. [...] Nobody
has been able to break SHA-1, but the point is the SHA-1, as far as Git
is concerned, isn't even a security feature. It's purely a consistency
check. The security parts are elsewhere, so a lot of people assume that
since Git uses SHA-1 and SHA-1 is used for cryptographically secure
stuff, they think that, OK, it's a huge security feature. It has nothing
at all to do with security, it's just the best hash you can get. [...] I
guarantee you, if you put your data in Git, you can trust the fact that
five years later, after it was converted from your hard disk to DVD to
whatever new technology and you copied it along, five years later you
can verify that the data you get back out is the exact same data you put
in. [...] One of the reasons I care is for the kernel, we had a break in
on one of the BitKeeper sites where people tried to corrupt the kernel
source code repositories." [6]
If (!) I understand Mike Gerwitz ([...] GNU [...]) 's opinion, his
opinion is, that for best security each and every commit should be
signed for best possible git verification security.
See also:
- Mike Gerwitz's "A Git Horror Story: Repository Integrity With Signed
Commits" [7]
- Verbose reply by Mike Gerwitz to my question. [8]
- Similar question on security stackexchange. [9] Quote: "Nevertheless,
If somebody managed to find a way how to find SHA1 collisions easily,
then git would have much bigger problem."
Cheers,
Patrick
[1] https://www.youtube.com/watch?v=4XpnKHJAok8&t=56m20s
[2] https://en.wikipedia.org/wiki/SHA-1#Data_integrity
[3] https://en.wikipedia.org/wiki/Second_preimage_resistance
[4] https://en.wikipedia.org/wiki/Merkle_tree
[5] https://www.youtube.com/watch?v=4XpnKHJAok8&t=56m20s
[6] https://en.wikipedia.org/wiki/SHA-1#Data_integrity
[7] http://mikegerwitz.com/papers/git-horror-story
[8] https://www.whonix.org/forum/index.php/topic,538.msg4278.html#msg4278
[9]
https://security.stackexchange.com/questions/67920/how-safe-are-signed-git-tags-only-as-safe-as-sha-1-or-somehow-safer
How safe are signed git tags? Especially because git uses SHA-1. There
is contradictory information around.
So if one verifies a git tag (`git tag -v tagname`), then `checksout`s
the tag, and checks that `git status` reports no untracked/modified
files, without further manually auditing the code, how secure is this
actually? Is it only as safe as SHA-1?
Let's assume an adversary, that is capable of producing SHA-1 collisions.
Linus Torvalds said: [1]
> Git uses SHA-1 not for security
And goes on.
> The security parts are elsewhere
Could you please elaborate on this? Where are the security parts? Can
you please briefly explain how these work? Where can I read more about this?
Wikipedia says. [2]
> Nonetheless, without second preimage resistance [3] of SHA-1 signed
commits and tags would no longer secure the state of the repository as
they only sign the root of a Merkle tree [4].
> Nonetheless, without second preimage resistance [3] of SHA-1 signed
commits and tags would no longer secure the state of the repository as
they only sign the root of a Merkle tree [4].
Which contradicts what Linus Torvalds said. What does that mean for
security? Which statement is true?
> "The source control management system Git uses SHA-1 not for security
security? Which statement is true?
but for ensuring that the data has not changed due to accidental
corruption. Linus Torvalds has said, "If you have disk corruption, if
you have DRAM corruption, if you have any kind of problems at all, Git
will notice them. It's not a question of if, it's a guarantee. You can
have people who try to be malicious. They won't succeed. [...] Nobody
has been able to break SHA-1, but the point is the SHA-1, as far as Git
is concerned, isn't even a security feature. It's purely a consistency
check. The security parts are elsewhere, so a lot of people assume that
since Git uses SHA-1 and SHA-1 is used for cryptographically secure
stuff, they think that, OK, it's a huge security feature. It has nothing
at all to do with security, it's just the best hash you can get. [...] I
guarantee you, if you put your data in Git, you can trust the fact that
five years later, after it was converted from your hard disk to DVD to
whatever new technology and you copied it along, five years later you
can verify that the data you get back out is the exact same data you put
in. [...] One of the reasons I care is for the kernel, we had a break in
on one of the BitKeeper sites where people tried to corrupt the kernel
source code repositories." [6]
If (!) I understand Mike Gerwitz ([...] GNU [...]) 's opinion, his
opinion is, that for best security each and every commit should be
signed for best possible git verification security.
- Mike Gerwitz's "A Git Horror Story: Repository Integrity With Signed
Commits" [7]
- Verbose reply by Mike Gerwitz to my question. [8]
If somebody managed to find a way how to find SHA1 collisions easily,
then git would have much bigger problem."
Cheers,
Patrick
[1] https://www.youtube.com/watch?v=4XpnKHJAok8&t=56m20s
[2] https://en.wikipedia.org/wiki/SHA-1#Data_integrity
[3] https://en.wikipedia.org/wiki/Second_preimage_resistance
[4] https://en.wikipedia.org/wiki/Merkle_tree
[5] https://www.youtube.com/watch?v=4XpnKHJAok8&t=56m20s
[6] https://en.wikipedia.org/wiki/SHA-1#Data_integrity
[7] http://mikegerwitz.com/papers/git-horror-story
[8] https://www.whonix.org/forum/index.php/topic,538.msg4278.html#msg4278
[9]
https://security.stackexchange.com/questions/67920/how-safe-are-signed-git-tags-only-as-safe-as-sha-1-or-somehow-safer
Alex Dubois
Nov 4, 2014, 4:08:49 PM11/4/14
to Patrick Schleizer, qubes...@googlegroups.com, Patrick Schleizer, Whonix-devel, mikeg...@gnu.org
Sent from my iPhone
>
> See also:
>
> - Mike Gerwitz's "A Git Horror Story: Repository Integrity With Signed
> Commits" [7]
>
> - Verbose reply by Mike Gerwitz to my question. [8]
>
> - Similar question on security stackexchange. [9] Quote: "Nevertheless,
> If somebody managed to find a way how to find SHA1 collisions easily,
> then git would have much bigger problem."
>
> Cheers,
> Patrick
>
> [1] https://www.youtube.com/watch?v=4XpnKHJAok8&t=56m20s
> [2] https://en.wikipedia.org/wiki/SHA-1#Data_integrity
> [3] https://en.wikipedia.org/wiki/Second_preimage_resistance
> [4] https://en.wikipedia.org/wiki/Merkle_tree
> [5] https://www.youtube.com/watch?v=4XpnKHJAok8&t=56m20s
> [6] https://en.wikipedia.org/wiki/SHA-1#Data_integrity
> [7] http://mikegerwitz.com/papers/git-horror-story
> [8] https://www.whonix.org/forum/index.php/topic,538.msg4278.html#msg4278
> [9]
> https://security.stackexchange.com/questions/67920/how-safe-are-signed-git-tags-only-as-safe-as-sha-1-or-somehow-safer
>
> You received this message because you are subscribed to the Google Groups "qubes-devel" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> Visit this group at http://groups.google.com/group/qubes-devel.
> For more options, visit https://groups.google.com/d/optout.
Mike Gerwitz
Nov 24, 2014, 4:25:36 PM11/24/14
to Patrick Schleizer, qubes...@googlegroups.com, Patrick Schleizer, Whonix-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here's information from the README of the first Git commit:
Hash: SHA1
https://github.com/git/git/commit/e83c51633#95 (of Git itself). It
restates what has already been discussed, but it's a direct reference.
x2/NMUeAxz9KGSN7Sf9haMiF6WFp4umYMZ8rRAXWmGv0O6PFkK6Vhw37kPeJtR34
WriZdE66CoeWWZyXDiaRXqS1dLkFlQ15SAI9STZGnMEHoSUX3xhKNlZFTGhRn2aH
temHo3GSbzAPDpYUqOhfl8pXFnO6vtpIG24Jwtd0UG3erLrc+H0FYeW39EkZKsm6
OcDbxlIxHiXY6ZcFtxo1xBwgycJDR06nM7/PziMkI4yFSOLYs7BvRSM4bXZO+E17
/wEJRauwg+7XKSuqCa6mWWeWBluCdh1AUFHBWG9Ip2/OT008KfZfJ6FLRBLJ34/N
qFst+Rk4mfDLYwqfaDDyWOmFyNNkQXhQ3RsSx8lXWt8Ilk7+KnacT5gWV7rH+r8s
1RLESmkb9ng8ypoG3UlUS7j4e5HBb6dwFKVHafJUapM6/zlClxTFWCaeJCCXtCNA
CJOFpv6OAtuBe6o0nX0Tb6bZ2CVjB/QPSAlItMJfSEAQAPR4X0oZe6U9iFt19aHM
14dKqbjSDxodXUYqaGUywgTFb8cQuY50Zgxv0wRX1dLG6Xyfb6y19IfiICpTTjg3
G+yC++hPwXovBPOrNIqLIPQaB86r67TP/ACcB+rBQURs29Cn38y2x20XbC2tertd
EgQ0eSaNA38/QqcuFaAr
=qt3p
-----END PGP SIGNATURE-----
Patrick Schleizer
Nov 25, 2014, 9:25:51 AM11/25/14
to qubes...@googlegroups.com, Patrick Schleizer, Whonix-devel, mikeg...@gnu.org
Summary:
We're hosed.
- Looks like signed git tags are only as safe as SHA-1 + [...] for git
cloners.
- They're aware of the issue.
- Probably no one will be working on it anytime soon.
- They disagree on the security (weakness) of SHA-1.
- They'd welcome patches.
Source, asked on the git mailing list:
http://www.mail-archive.com/g...@vger.kernel.org/msg61087.html
We're hosed.
- Looks like signed git tags are only as safe as SHA-1 + [...] for git
cloners.
- They're aware of the issue.
- Probably no one will be working on it anytime soon.
- They disagree on the security (weakness) of SHA-1.
- They'd welcome patches.
Source, asked on the git mailing list:
http://www.mail-archive.com/g...@vger.kernel.org/msg61087.html
Reply all
Reply to author
Forward
0 new messages