Git release tagging best practices

Peter Lebbing peter at digitalbrains.com
Tue Mar 19 19:09:25 CET 2019


On 19/03/2019 17:32, Daniel Kahn Gillmor wrote:
> PS Note that the *name* of the tag itself is not covered by the
>    cryptographic signature (it is possible to rename tags without
>    modifying their cryptographic validity).  This is why I recommend
>    using the tag message to contain this information rather than the tag
>    name itself.

Are you sure? I looked at what the exact data that is signed is, and it
seems to me it does include the name:

--8<---------------cut here---------------start------------->8---
$ cat .git/refs/tags/gnupg-2.2.13
baae95e8359ab45ff64414a8e8387997bb828a1b
$ git cat-file tag baae95e8359ab45ff64414a8e8387997bb828a1b
object 7922e2dd1c7eee48a8a2cf4799827942489ddd0f
type commit
tag gnupg-2.2.13
tagger Werner Koch <wk at gnupg.org> 1549985965 +0100

You may want to watch the Ellsberg/Chomsky discussion
at <https://riseuptimes.org/2018/04/25/daniel-ellsberg-and-noam-chomsky-discuss-nuclear-war/>
or at <https://theintercept.com/chomsky-ellsberg/>
-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEE2GkhI8QGXepeDzq1JJs50k8l47YFAlxi6SwACgkQJJs50k8l
47Zczwf/XGMMUCWnWsD+nVzmAYaBPp76/CBkG6qeZkvAVyFbhv9RGs4SRxp4rK1r
NT9tnjHyETIh/Yoc0uDgIdt2neaicc2LKrVgzMpsOKutFyKrH5hNsfCrMAu/NEC8
6AEFcRlS0WWgQTehiwVjCRf/hALYW1KjeL6HR2J1b58VAlABa78H+tY8Z+wFqFcf
XJgQ8gR1QtkMuLnGqlN/6sLjN0BKsBqMZvt/T9aljpH6RJuzTyIUjln1uDl43htj
sDGa7BZtmf7XiEjcX62NS6yDfuOyw0guDFkOvsIt3IBqtDWAxY7qc5do0CQjOU8t
BdrTflO5D1a9ZISgA+6wO/nJAIvFwA==
=F3BP
-----END PGP SIGNATURE-----
--8<---------------cut here---------------end--------------->8---

So let's split that into:

the-tag.txt:
--8<---------------cut here---------------start------------->8---
object 7922e2dd1c7eee48a8a2cf4799827942489ddd0f
type commit
tag gnupg-2.2.13
tagger Werner Koch <wk at gnupg.org> 1549985965 +0100

You may want to watch the Ellsberg/Chomsky discussion
at <https://riseuptimes.org/2018/04/25/daniel-ellsberg-and-noam-chomsky-discuss-nuclear-war/>
or at <https://theintercept.com/chomsky-ellsberg/>
--8<---------------cut here---------------end--------------->8---

the-tag.sig:
--8<---------------cut here---------------start------------->8---
-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEE2GkhI8QGXepeDzq1JJs50k8l47YFAlxi6SwACgkQJJs50k8l
47Zczwf/XGMMUCWnWsD+nVzmAYaBPp76/CBkG6qeZkvAVyFbhv9RGs4SRxp4rK1r
NT9tnjHyETIh/Yoc0uDgIdt2neaicc2LKrVgzMpsOKutFyKrH5hNsfCrMAu/NEC8
6AEFcRlS0WWgQTehiwVjCRf/hALYW1KjeL6HR2J1b58VAlABa78H+tY8Z+wFqFcf
XJgQ8gR1QtkMuLnGqlN/6sLjN0BKsBqMZvt/T9aljpH6RJuzTyIUjln1uDl43htj
sDGa7BZtmf7XiEjcX62NS6yDfuOyw0guDFkOvsIt3IBqtDWAxY7qc5do0CQjOU8t
BdrTflO5D1a9ZISgA+6wO/nJAIvFwA==
=F3BP
-----END PGP SIGNATURE-----
--8<---------------cut here---------------end--------------->8---

And presto:

--8<---------------cut here---------------start------------->8---
$ gpg --verify the-tag.{sig,txt}
gpg: Signature made Tue 12 Feb 2019 16:41:32 CET
gpg:                using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [full]
gpg: werner koch (dist sig): Verified [REDACTED]
--8<---------------cut here---------------end--------------->8---

Note that the third line of the signed data reads "tag gnupg-2.2.13". So
is there some loophole that means this is not useful?

I'm not saying that the first line of tag messages shouldn't be
standardized as you propose, I'm just debating the correctness of the
quoted assertion.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190319/813b633c/attachment.sig>


More information about the Gnupg-devel mailing list