Rich Freeman via plug on 10 Jan 2020 06:13:29 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] exploit breaks SHA-1

On Fri, Jan 10, 2020 at 8:59 AM brent timothy saner via plug
<> wrote:
> - Git is not at risk, as SHA1 hashes are used to *identify* commits, not
> *verify the integrity* of them. GPG sign-offs are used for the latter.

While I realize Linus feels otherwise, this is incorrect.

GPG is used to verify the integrity of a commit record, but the commit
record that is signed doesn't contain the actual source code (either
the files or their revisions) - just metadata like
date/author/description/etc.  The commit record references the actual
source code via a tree reference, which is an SHA1 hash.

While technically you could argue that the SHA1 hash only "identifies"
the source code, the fact is that it is the only thing linking the
signature to the actual source code.

So, all you can be certain of in an SHA1-compromised world is that
some person committed SOMETHING on a particular date, and that he gave
it a particular description.  You can't know for sure WHAT they
actually committed - only that it had a particular sha1 hash.  That
would seem like a rather important detail.

That said, the git project apparently recognizes the problem (again,
Linus's claims notwithstanding), and are working on fixes.  I have no
idea how far along they are with it.

Also, the practical utility of this attack might be mitigated by
project workflows.  This isn't a preimage attack, so you need to stick
some random-looking cruft in a file to play games with it.  That said,
for some projects like hosting firmware blobs it might be easier to
do.  For projects that scrutinize every line in every new commit it
would be harder.

Footnote:  People might THINK that git stores a diff of what changed
in the hash, because a diff is displayed when they use git show.  A
git commit record doesn't contain any source code at all - any source
that shows up in git show is auto-generated.  For example, here is an
example of a signed commit record (generated with git show
--pretty=raw).  The signature applies to basically the text of the
proceeding record (with a little care you can copy/paste it into a
text file in the right format, and command-line gpg will verify it):

commit c1ec1a88e4a3d657040fe9ca336f9a446a4059bf
tree 3fbce6896d5f53e948b472c1013b704601705ba2
parent 4cadbd9fb1d51e57a5b1fb141d9b9a6151ce01dc
parent 26bf6dd6982f4a28a160af9749c6c5ee4269b120
author Repository mirror & CI <> 1578626739 +0000
committer Repository mirror & CI <> 1578626739 +0000
gpgsig -----BEGIN PGP SIGNATURE-----


    Merge updates from master

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --