Rich Freeman on 1 Jun 2015 10:02:50 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SourceForge has Malware?

On Mon, Jun 1, 2015 at 11:15 AM, Thomas Delrue <> wrote:
> I'm a heavy Mercurial user which has a 'sign' feature: you can
> crypto-sign a commit - and therefore it plus all of it's ancestors - I
> think this enables a higher level of trustworthiness. This feature is
> used in the mercurial source code itself.
> While it does put the onus on the user to perform the validation, it is
> things like that may increase trustworthiness in source-based software
> distribution.
> I don't know if git (what all the 'cool' kids are using these days) has
> a similar feature. I'd be surprised if it doesn't but am looking at this
> community to inform me.
> If git has this feature, how extensively is it used for mainstream
> projects (I haven't seen anything like this in for instance the Linux
> Kernel repo) ?

On git all objects but tags are content-hashed, including commits.
This is only hashed using sha1, so it is potentially vulnerable, but
in practice I don't believe there are any known attacks against sha1
that don't involve chosen plaintext, which means the authors would
have to participate in any collision attack.  Of course, with ANY
source-management system you could do an MITM and accept commits from
the devs but present entirely different data to the average downloader
(changing the commit numbers, resigning with your own keys, etc), but
this would be pretty obvious if any of the developers looked at the
distributed code.  When they start getting bug reports referencing
commit IDs that don't exist in their own git repositories it would
become obvious that somebody is playing games with their distribution.

With git there has always been the ability to gpg-sign tags, which are
typically used to mark releases.  This is in fairly common use.  A
more recent feature is the ability to sign commits, and this is not in
such common use from what I've seen, but I do try to personally make
use of it.  Obviously any use of signatures is vulnerable to attacks
on the key distribution system.

I think the bottom line is that all the content hashing makes it
fairly difficult to tamper with sources stored in git.  Depending on
the level of vigilance of the project, it might be possible with great
difficulty.  If the project does use commit signing and decent PKI,
then tampering would be very difficult, though again with
collaboration with the authors it might be possible to abuse SHA1
collisions (since only an SHA1 hash joins the signature to the content
being signed).  Also, you lose some traceability to authors if
rebasing is used, since then you don't get a clear history from the
original author's commit to the rebase commit (rebasing changes
history, and thus requires re-signing of commits, likely not using the
original author's key).

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --