Bastian Blank wrote:
The git objectchecksums don't suffice anymore due to SHA1. And as the world moves towards SHA3, it will need to have the ability to follow.
Ian Jackson wrote:> The git signed tag object has a signature which is verifiable without
relying on the git object hash system. The tag text directly contains the source package name, and version, and intended upload target.
A git tag is internally similar to an SHA1-only .dsc or .changes, in that it uses a hash to specify what the actual repository contents should be: verifying the tag signature without using the hash only tells you that an authorized person tried to upload *something*, not whether it was the same content as is currently in Salsa.
Do you now intend to add an SHA-256 hash, or is one of us mistaken? $ git cat-file tag debian/1.3.2-6 object 6a899bec4829cd941b65f9ddc2d4f6ef5468b972 type commit tag debian/1.3.2-6 tagger Rebecca N. Palmer <[email protected]> 1549574096 +0000 beignet Debian release 1.3.2-6 [signature deleted] Bastian Blank wrote:
The output of all operations obviously needs to be reproducible to be signed.
Other parties could re-run the tag2upload transformation to verify it, but this would require reading from Salsa as well as the archive.
I agree that any re-signing form of tag2upload is highly security-critical code, and should be held to our standards for such. (I don't know what those standards are.)