Home

Awesome

git-sign: sign files in Git repositories securely

While Git supports signing via git tag -s (or git tag -u), those are signing SHA-1 hashes only as of today, hence a bit insecure given that SHA-1 collisions aren't very expensive (about $75k according to recent news; a SHA-1 collision still doesn't allow to MITM directly (pre-image attack would be needed), but given the right circumstances could still make attacks easier).

git-sign is a wrapper that adds SHA-256 hashes of all files to the tag message. git-sign then runs git tag -s to create a normal signed git tag that just happens to also contain SHA-256 hash sums in plain text. For an example tag message, see the git-sign v1 tag (or run git clone https://github.com/pflanze/git-sign; cd git-sign; git cat-file -p v1). Since the tag message is part of what the PGP signature signs, it cannot be altered, assuming a recent enough PGP/GnuPG key. The SHA-256 hashes in the tag message (as well as the number of files) can then be verified to be the same as those checked out by Git. Hence, content verification does not depend on Git hashes.

verify-sig does all of the verification steps of a git tag (it also verifies that the PGP signature itself does not use known to be insecure hashing algorithms).

The two programs are simple bash scripts so that you can verify their source code easily enough. Also, the signed tag messages mention the code that was run to generate them, hence the integrity can be verified manually, without even installing verify-sig, by running git tag -v $tagname then running the two code fragments and comparing the output (but note that unlike verify-sig, git tag -v does not (to my knowledge) verify what hash algorithm the PGP signature uses!)

Note that while this ensures that the checked-out files (in the working directory) are of identical number and content as those the author (signatory) had, the Git history might still have been subverted by an attacker. In other words, verify-sig will only give you assurance that the current checkout is fine, which is useful enough to make secure software releases by using Git tags (with git-sign), i.e. they can be built by users without risk, but it will not give assurance for working with the Git repo arbitrarily. Even the commits leading up to one that verify-sig confirmed as OK are not assured to be pristine. For this, Git itself has to move to a more secure hashing algorithm.

There are a couple additional utilities bundled with the repository:

Usage

Dependencies

Both scripts are relying on git and gpg, as well as sha256sum and various other utilities from the GNU core utilities (e.g. coreutils package on Debian), egrep from the GNU grep package, and perl. Except for git and gpg these should be available in the minimal install of standard Linux distributions.

Bugs

Only the contents of the files is verified, not their executable status. Also, symlinks are followed before hashing, which in the case of symlinks pointing outside the working directory will probably not be useful. Changing these would make the scripts considerably more complex, though.

See also