Use EVTag for release tags #7579
Comments
|
cc @nodejs/release |
|
cc @nodejs/collaborators |
So entirely compatible with what we do now. @indutny has this got traction anywhere else? How early would we be in the early-adopter phase of this technique? I like that it has version numbers in it but I can imagine there's some evolution of this still to come. |
|
@rvagg I would say we are going to be very early adopters, good news is that (as you pointed out) this is completely compatible with default @cgwalters sorry for summoning you, but perhaps you have some information about companies/projects that use EVTag? Also cc @bnoordhuis |
|
Hmmm, seems interesting. @indutny Are signed commits similarly only signed with SHA-1? |
|
@indutny Just a suggestion but perhaps you can add tests that verify it generates the same SHA-512 as git-evtag for the same input. It would be a shame if the tools output incompatible tags because of e.g. differences in iteration order. |
|
@Fishrock123 yep, they are. |
|
I think it's clear this functionality should move into the git upstream (and have an implementation in libgit2 after) - without that happening I think it's difficult to build momentum, though it might be interesting to see if a pure node implementation will help. Mostly so far it's been my original project ostree, gnome-terminal and other random ones like libosinfo. |
|
@cgwalters thank you! Added all of the projects to my evtag-compliance tests: indutny/git-secure-tag@68a5087 cc @bnoordhuis |
I agree, FWIW. (I wanted to bring that up in my first comment but I forgot.) |
|
@bnoordhuis I can't agree more. Nevertheless, shipping it to a projects is the best way to make people consider merging it upstream. |
|
Right, I'm not disagreeing with that. |
|
@rvagg what should we do to move forward on this? Should it be documented for our release team? |
|
Opened #7603, please continue the discussion there. |
|
👍 |
`git-secure-tag` recursively constructs an SHA-512 digest out of the git tree, and puts the hash from the tree's root into the tag annotation. This hash provides better integrity guarantees than the default SHA-1 merkle tree that git uses. Fix: nodejs#7579
`git-secure-tag` recursively constructs an SHA-512 digest out of the git tree, and puts the hash from the tree's root into the tag annotation. This hash provides better integrity guarantees than the default SHA-1 merkle tree that git uses. Fix: #7579 PR-URL: #7603 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Evan Lucas <evanlucas@me.com>
`git-secure-tag` recursively constructs an SHA-512 digest out of the git tree, and puts the hash from the tree's root into the tag annotation. This hash provides better integrity guarantees than the default SHA-1 merkle tree that git uses. Fix: #7579 PR-URL: #7603 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Evan Lucas <evanlucas@me.com>
`git-secure-tag` recursively constructs an SHA-512 digest out of the git tree, and puts the hash from the tree's root into the tag annotation. This hash provides better integrity guarantees than the default SHA-1 merkle tree that git uses. Fix: #7579 PR-URL: #7603 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Evan Lucas <evanlucas@me.com>
`git-secure-tag` recursively constructs an SHA-512 digest out of the git tree, and puts the hash from the tree's root into the tag annotation. This hash provides better integrity guarantees than the default SHA-1 merkle tree that git uses. Fix: #7579 PR-URL: #7603 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Evan Lucas <evanlucas@me.com>
`git-secure-tag` recursively constructs an SHA-512 digest out of the git tree, and puts the hash from the tree's root into the tag annotation. This hash provides better integrity guarantees than the default SHA-1 merkle tree that git uses. Fix: #7579 PR-URL: #7603 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Evan Lucas <evanlucas@me.com>
`git-secure-tag` recursively constructs an SHA-512 digest out of the git tree, and puts the hash from the tree's root into the tag annotation. This hash provides better integrity guarantees than the default SHA-1 merkle tree that git uses. Fix: #7579 PR-URL: #7603 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Evan Lucas <evanlucas@me.com>
By default, git provides very loose security guarantees of signed tags. Only the tip of SHA-1 Merkle tree is used, and thus overall security is bound above with the complexity of SHA-1 collision attack.
At this time, SHA-1 is considered insecure, so there is not too much point in generating signed tags as they are, since it may be possible to present different source with the same tag hash if SHA-1 collisions will be found.
However, instead of removing signatures altogether (which we shouldn't do, at least because of the green "Verified" badges on github), I suggest that we should give a try to:
https://github.com/indutny/git-secure-tag
This is a pretty simple tool that builds a Merkle tree too, but with a stronger SHA-512 digest. It is a JS-only implementation of https://github.com/cgwalters/git-evtag , but still quite a fast one:
The text was updated successfully, but these errors were encountered: